IMPACT2017 Quarter 4

Presented by DQS Inc.

As we approach the end of 2017, we would like to take some time to review progress on the latest revision to standards as well as the planning work we need to undertake to complete our customer revisions in 2018.

As an industry the adoption of the new standards for ISO 9001, ISO 14001, IATF 2016 and AS 2016 has been slower than expected. Just under 50% of certificate holders have had upgrade audits completed through the end of 2017. The majority of these audits completed took place in the last half of 2017.

The remaining 50% of certified customers still require an upgrade to these new standards prior to the end of June 2018 to allow for closure of non-conformances, technical review and certificate issuance prior to the deadline of September 14, 2018. This large volume of audit days in the first half of next year will make planning difficult and even more difficult to accommodate short notice changes to schedules. Additionally this volume will extend certificate issue times, even after closing of non-conformances.

As a result, we encourage all of our customers who still require upgrade assessments to lock in audit dates for the first half of 2018 and stick to the scheduled dates. Our customer service and planning teams are confident to be able to accommodate all audits. We need the support of our customers to book these audits now and to adhere to the schedules.

In the midst of these busy times we still take time out to give back to our community. This year we coordinated a gift drive for JourneyCare, which provides hospice care for pediatric patients. Every year they have a holiday party for their pediatric patients and give a gift to the patient and their siblings. DQS employees donated boxes full of toys for the party. We are proud to support a wonderful organization with this gift drive as our chance to spread some holiday cheer.

To all of our customers, partners, and friends, we wish you all Happy Holidays and a healthy and prosperous New Year!

Preparing for the New Year

2

2017 Quarter 4

Guiding Standards for Cybersecurity

What is cybersecurity?

Cybersecurity has become a buzz word in the industry for last couple of years. How is it different from Information Security? Cybersecurity means ensuring the security of three critical elements i.e. (1) Security of critical infrastructure (2) Data protection and (3) Privacy protection.

Information security mostly focused on data protection. The most popular standard used for this purpose is ISO IEC 27001. It does address some part of infrastructure security and privacy but not to the extent that other Cybersecurity standards cover infrastructure security.

The main guiding standards for Cybersecurity are:

• NIST cybersecurity framework

• ISO IEC 27032 – Guideline for Cybersecurity, to be used along with ISO 27001 standard.

• General Document on Privacy Requirements (GDPR) – New privacy regulations from EU to be released in May 2018.

To implement the Cybersecurity framework basic requirements is to conduct risk assessment using the NIST Risk Management Framework (RMF) and implement controls from the applicable NIST 800 series standards.

Why NIST standards?

• All Federal Government and Defense organizations use NIST standards for their Information Security.

• All Federal and Defense contractors handling (storing,

processing and transmitting) information falling under the Controlled Unclassified Information (CUI) category must comply with NIST SP 800-171 before end of 2017.

What is Controlled Unclassified Information (CUI)?

CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order

13526 or the Atomic Energy Act (National Archives).

A CUI Registry has been published by the National Archive to provide categories and subcategories based on industry segments. Some examples of CUIs for Technology Contractors (under Controlled Technical Information categories) are contract data, requirement specification, design specifications, and project plans related to Government projects that are stored in the computer systems of the contractor.

General Document on Privacy Requirements (GDPR)

The General Data Protection Regulation will replace the EU Data

Protection Directive and will be effective starting on the 25th of May, 2018. This is occurring due to the European Commission’s aim at unifying data protection laws across the union via one regulation, such as the GDPR.

The protection of personal and organizational data is always crucial in a constantly growing cross border market environment. The General Data Protection Regulation requires safeguards and measures for protecting personal data,

ensuring safe data processing, and managing notifications of potential breaches.

The GDPR applies to organizations collecting, processing, and storing EU citizens’ personal data or EEA. This regulation also applies to:

• Organizations with a physical presence in at least one-member state of the European Union.

• Organizations located outside of the EU, if they offer services, monitor, or process data subjects which belong in the European Union, even if the company location is not in the European Union.

Overlap with ISO 27001:

ISO/IEC 27001, NIST standards, and GDPR at their core have the commitment to protect sensitive information from unauthorized access, i.e. store, process, and transmit sensitive information in a secured way, in common.

ISO 27001 is a generic standard as it defines the objectives and intents of the security controls.

Continued on page 4

3

2017 Quarter 4

EFfCI Publishes New Version of Cosmetics GMP Certification

Dr. Thijs Willaert, DQS CFS

In September 2017, the European Federation for Cosmetic Ingredients (EFfCI) published a revised version of its GMP certification scheme for cosmetic ingredients. In this article, we will take you through the main changes to the standard, in order to help you prepare for your next certification audit.

Since the initial publication of the EFfCI certification scheme in 2005, the standard has gone through 4 revision phases. The main reason for the current revision has been the publication of ISO 9001:2015, on which the EFfCI scheme builds. Although the harmonization of the EFfCI GMP standard with the new version of ISO 9001 introduces a couple of changes, we do not expect sites to encounter any problems when transitioning to the new version.

Timeline

Organizations that are currently certified to the 2012 edition of EFfCI GMP will need to align their quality management system to the 2017 edition of the EFfCI GMP standard and seek certification to

it. Organizations have until the end of 2018 to complete the transition. From the 1st of January 2019 only a certificate to EFfCI GMP: 2017 will be considered valid.

The transition to the 2017 edition can be achieved in a surveillance or a recertification audit.

Changes

• In line with ISO 9001:2015, the new standard emphasizes the context in which the quality system operates as well as the involvement of interested parties. For manufacturers of cosmetic ingredients, the context and interested parties perfectly align with the concepts of GMP and the protection of consumer safety

• An independent quality unit is required in the new edition

• The readability of the standard has been approved by integrating guidance and the standard, instead of having the standard as an annex

• More emphasis that the organization must have the resources to effectively implement the GMP

requirements

• If quality critical activities are outsourced, these need to comply with the cosmetic ingredient GMPs

• Any special storage conditions must be communicated on the product label

• The standard now includes a definition of “significant change“ to support communication

• The standard requires organizations to define the retention period of retain samples

• The scheme can now also be used by distributors of cosmetic ingredients. Appendix F enables distributors to identify which parts of GMP do not apply to them, so that they can implement the remaining principles

• The scheme now includes rules for multi-site certification

DQS Inc. is a recognized Certification Body by the EFfCI and ready to offer assessments. Please let us know if you have questions about new or transferred certification to EFfCI 2012 or 2017.

SQF Edition 8 updates will take effect January 02, 2018, and DQS Inc. is proud to announce that we have received accreditation to offer certifications to this updated edition.

All sites currently certified to SQF standards, Edition 7.2 with audits scheduled after January 2, 2018 will be required to meet the Edition 8 standards. Until January 2, 2018, Edition 7.2 will stay in effect.

Clients will be required to be

audited to Edition 8 during their first regularly scheduled or unannounced recertification or surveillance audits in 2018. Optional gap assessments are available to support the transition process. DQS is also pleased to accept transferred SQF certified organizations who wish to be audited to Edition 8 by DQS.

The following applies to the SQF audit depending on the previous year non-conformances:

Recertification audit: Grade B or better. Recertification audit-scheduled annually.

Surveillance audit: previous year audit grade of C

Unannounced audit: once every three years

Other scenarios, such as transfers, will be reviewed on a case-by-case basis.

SQF Code 8 Updates

Continued from page 2

It also allows organizations to select appropriate controls from annex A and/or from any other standards. Both ISO and NIST require a security risk assessment, but ISO does not provide any method for conducting risk assessment. NIST RMF could be a nice supplement for that purpose.

ISO 27001 provides an Information Security Management System Framework, which helps an organization to sustain and continuously improve its security posture.

The below diagram shows how ISO 27001 can be used as an overarching framework.

DQS services:

Trainings: DQS can offer awareness trainings on the following subjects:

• GDPR requirements

• Risk Management Framework (RMF)

• NIST SP 800-53 requirements

• NIST SP 800-171

Conformity assessment: Why is an Independent Conformity Assessment Required?

NIST standards are developed for government organizations to secure their Information Systems. GDPR is for ensuring privacy of personal information. None of these are intended to be used for the purpose of third party certifications (like ISO standards), and there is no certification scheme available for

NIST standards or GDPR. Application of NIST standards are now extended beyond the government agencies. Contractors are now required to comply with NIST SP 800-171 with target deadline. Very often the government also requires contractors to comply with NIST SP 800-53.

How can an organization show evidence of compliance to GDPR or NIST standards? A Conformance assessment report from an independent organization is the only option.

How to achieve conformity?

Option 1: ISO 27001 Registration:

There is a considerable amount of overlap between the controls provided in NIST SP 800-171, NIST SP 800-53 or GDPR with the controls provided in Annex A of ISO 27001. Additional controls from the NIST standard or GDPR can be added to the Statement of Applicability (SOA) of ISO 27001 registration audit. Registration scope statement will mention that the SOA includes controls from NIST standard.

Option 2: Conformity Assessment:

If organization is not willing to go for ISO 27001 registration, DQS can conduct an independent conformity assessment against the NIST standard and GDPR. After successful assessment, DQS will issue a “Letter of Conformance” (LOC) and detailed assessment report as evidence of conformance to the applicable NIST standard or GDPR. Assessment report and LOC will be valid for one year. Reassessment will be required for continuous evidence of conformance.

4

2017 Quarter 4 Visit us online at dqsus.com

Spread the Word and Get RewardedDQS now has a customer referral program. With this program, we will offer a $250 credit to the referring

customer’s account for each new cus-tomer site that contracts with DQS as well as a $250 reduction in first audit costs for the new customer site. If you know a site that is looking for a

strategic business partner to provide value-added audits and certifcation, visit our website (https://dqsus.com/customer-referral-program/) to refer them.