Part 3 FOOD SAFETY MANAGEMENT SYSTEM ISO 22000:2005

To Ensure Integrity of Food Supply Chain

1. AIM:-
I. Control food safety hazards in order to consistently provide safe end products
that meet both requirements agreed with the customer and those of applicable
food safety regulation.
II. Enhance customer satisfaction through the effective control of food safety
hazards.

2. APPLICABILITY: - all type of organisations within the food chain (Farm to fork)

- Feed producers
- Primary producers
- Food Manufacturers
- Transport and storage operators
- Subcontractors
- Retail and food service outlets (Hotels and caterers)
- Manufacturers of Equipment, packing material, cleaning agents& Additives,
Ingredients.

3. FOOD SAFETY: - Preventing food borne hazards at the point of consumption

4. METHODOLOGY: - Combine HACCP plans and pre requisite programmes

(PRPs) to ensure hazard control. PRPs are further divided into infrastructure and
maintenance (PRPs) and operational PRPs. Identify the risks evaluate the risks and
take action. Keep improving through verification of effectiveness.

5. BENEFITS:-
 Increased Due Diligence
 More Efficient And Dynamic Food Safety Hazard Control
 All Control Measures Subjected To Hazard Analysis
 Fill The Gap Between ISO 9001:2000 And HACCP.
 System Approach Rather Than Product Approach.
 Covers the entire Food chain.
  Make the organization ready to meet the requirements of new FOOD SAFETY
ACT.
 Easier to meet the new food safety bill requirements
 Better traceability

6. STEPS IN IMPLEMENTATION
1. Training of top management
2. Identification of FOOD SAFETY POLICY AND OBJECTIVES
3. Formation of inter disciplinary FOOD SAFETY TEAM & appointment of Team
Leader.
4. Development of documentation of the Quality Manual, Food Safety Manual and
procedures. ( Including the following lower level documents )

i. Emergency preparedness and response plan

ii. Product description including raw materials ingredients and food
contact materials [also covering statutory & regulatory requirements]
iii. Prerequisite Programmes (PRP)
iv. Quality Plan
v. Flow diagram, process steps, control measures, traceability system
vi. Hazard assessment
vii. Selection and assessment of control measures
viii. HACCP Plan
ix. Operational Prerequisite programmes
x. Withdrawal programme(Product recall procedure)
xi. Formats

5. Training of Internal Auditors.

6. Implementation of the system
7. Internal Audits (Food Safety) as per the system and follow up activities
8. Management Review Meetings
9. Pre-assessment audit by third party auditor
10. Audit of third party auditor and clearance of certification audit in two phases
10.1 Pre assessment
10.2 Certification (valid for three years)
 Part 4 INFORMATION SECURITY MANAGEMENT SYSTEM
(ISMS) ISO 27001

1) AIM: - A comprehensive information security management system (ISMS)

plays a critical role in ensuring the ability of your organization to successfully
face information security threats from a wide range of sources and continue your
operations. It is so due to the present day trend of paperless office and businesses
being too dependent on internet/e-mail communication/wide area networks etc.
Being online can sometimes be a nightmare. The sources of these threats may
include sabotage, espionage, vandalism, fraud, hacking etc (remember the
Gurgaon or the Bangalore BPO: Bank fraud cases?)

The standard ISO 27001 lays down the principal elements and policies of the
organization’s information security system. These include risk assessment and
management, objectives for control of information security practices and
business continuity management processes. The standard also seeks the
organization to establish a set of comprehensive and balanced system of
measurements to monitor and review the performance of information security
management system. The risk management and business continuity management
form the most important elements of the standard. These help the management to
determine the priorities for managing information security risks and identify
appropriate actions to address these risks and to meet the requirements and
expectations of interested parties.

2) BENEFITS

 Commitment: certification serves as a guarantee of the effectiveness of the

effort put into rendering the organization secure at all levels, and demonstrates
the due diligence of its administrators.
 Compliance: certification demonstrates to competent authorities that the
organization observes all applicable laws and regulations & contractual
requirements.
 Risk management: leads to a better knowledge of information systems, their
weaknesses and how to protect them. Equally, it ensures a more dependable
availability of both hardware and data.
 Credibility and confidence: Partners, Shareholders and Customers are
reassured when they see the importance afforded by the organization to
protecting information. Certification can help set apart a company from its
competitors and in the marketplace
 Reduced costs related to information security breaches, and possible reduction
in insurance premiums.
 Improves employee awareness of information related issues and their
responsibilities within the organization.
  Better Business continuity and recovery from emergency situations so as to
meet SLAs
3) SUMMARY OF THE STANDARD [CONTROL OBJECTIVES]

I. Information security policy

Provide management direction and support for information security. Defines
corporate objectives for information security

II. IT security organisation & 3rd party connections

Manage information security within the company. Maintain the security of
organizational information processing facilities and information assets accessed by
3rd parties (suppliers, partners, customers).
Maintain the security of information when the responsibility for information
processing has been outsourced to another organization.

III. Assets classification and control

Determine and maintain appropriate protection of corporate assets.

IV. Personnel security

Reduce risks of human error, theft, fraud or misuse of facilities. Ensure that users are
aware of information security threats and concerns, and are equipped to support the
corporate security policy in the course of their normal work. Minimize the damage
from security incidents and malfunctions and learn from such incidents.

V. Physical & environmental security

Prevent unauthorised access, damage and interference to business premises and
information. Prevent loss, damage or compromise of assets and interruption to
business activities. Prevent compromise or theft of information and information
processing facilities.

VI. Computer & network management

Ensure the correct and secure operation of information processing facilities.
Minimise the risk of systems failures. Protect the integrity of software and
information.
Maintain the integrity and availability of information processing and
communications.
Ensure the safeguarding of information in networks and the protection of the
supporting infrastructure.
Prevent damage to assets and interruptions to business activities. Prevent loss,
modification or misuse of information exchanged between organizations.
VII. System access control
Control access to information. Prevent unauthorized access to information systems.
Ensure the protection of networked services. Prevent unauthorized computer access.
Detect unauthorised activities. Ensure information security when using mobile
computing and teleworking facilities.
VIII. System development & maintenance
Ensure security is built into operational systems. Prevent loss, modification or
misuse of user data in application systems. Protect the confidentiality, authenticity
 and integrity of information. Ensure IT projects and support activities are conducted
in a secure manner. Maintain the security of application system software and data.
IX. Business continuity planning
Counteract or prevent interruptions to business activities and to critical business
processes from the effects of major failures or disasters.
X. Compliance
Avoid breaches of any criminal or civil law, statutory, regulatory or contractual
obligations and of any security requirements.
Ensure systems security parameters, operating procedures etc. comply with
organisational security policies and standards.
Maximize the effectiveness of and to minimize interference to/from the system audit
process.
4) STEPS IN IMPLEMENTATION OF ISMS
1. Training of top management
2. Identification of ISMS POLICY AND OBJECTIVES
3. Awareness training to all employees
4. Development of documentation ISMS DOCUMENTS
i. Identification of information assets
ii. Risk assessment methodology [ including legal & contractual
requirements]
iii. Risk assessment
iv. Defining the scope of ISMS
v. Identifying the appropriate control objectives and controls
vi. Statement of applicability
vii. Risk treatment plan
viii. Procedures as per ISMS
ix. Business continuity Plan
x. Formats
5. Training of Internal Auditors.
6. Implementation of the documented system
7. Internal Audits (ISMS) as per the system and follow up activities
8. Management Review Meetings
9. Pre-assessment audit by third party auditor
10. Audit of third party auditor and clearance of certification audit in two phases
10.1 Pre assessment
10.2 Certification (valid for three years)

SA8000
SA8000 is a global social accountability standard for decent working conditions,
developed and overseen by Social Accountability International (SAI). Detailed
guidance for implementing or auditing to SA8000 is available from its website. SAI
offers training in SA8000 and other workplace standards to managers, workers and
auditors. It also operates an accreditation agency that licenses and oversees auditing
organizations to ward certification to employers that comply with SA8000.
Basis
SA8000 is based on the UN Universal Declaration of Human Rights, Convention on
the Rights of the Child and various International Labour Organization (ILO)
conventions. SA8000 covers the following areas of accountability:
Child labour
Forced labour
Workplace safety and health
The right to organize
Discrimination
Workplace discipline
Working hours
Wages
Management system for Human Resources
Corporate social responsibility

Respect for human rights

Fair treatment for the workforce
Protecting the environment
Ethical behaviour of the organization
Being a good neighbour

Details of the standard

The first global standard for ethical sourcing

Designed for independent verificationA global standard, designed for use by any
company, anywhere in the worldHas been developed with stakeholders Is designed
to take local laws and requirements into account

Certifications

More than 640,000 workers are employed in 1200 facilities certified to SA8000, in 60
countries and 70 industrial sectors. The industrial sectors with the most certifications
include apparel and textiles; building materials; agriculture; construction; chemicals;
cosmetics; cleaning services and transportation. The countries with the most
certification to SA8000 include Brazil, India, China and Italy.
The cost of acquiring a certification for a factory, farm or office varies with the number of
employees and the location. It can range up to 10-12,000 USD for large facilities.

Significance

Dominic A. Tarantino, Chairman of Price Waterhouse World Firm described SA8000 in 1998
as "the first ever universal standard for ethical sourcing... It provides a common framework
for ethical sourcing for companies of any size and any type, anywhere in the world. SA8000
sets out provisions for issues such as trade union rights, the use of child labor, working hours,
health and safety at work, and fair pay." However, it does not address broader issues of
ecology or bribery or other issues which may require more consumer or executive restraint.
Tarantino further argued the need for moral leadership: Pricing, products and services are
no longer the sole arbiters of commercial success... it is business that must take the
lead in taming the global frontier. Business must take the lead in establishing rule of
law in emerging markets. Business must take the lead in stopping bribery. Business
must take the lead in bringing order to cyberspace. Business must take the lead in
ensuring that technology does not split the world into haves and have nots."

1. Benefits Fewer accidents

2. Enhanced opportunities to be organized
3. A way to address and improve the conditions where people work
4. Increased worker awareness about core labor rights
5. Enhanced communication to the management
6. Evidence that labor rights are good for society and business
7. Improved business practices lead to economic growth and new job
opportunitiesA credible and effective way to put social responsability into action
8. Enhanced company and brand reputation
9. Improved employee recruitment, retention and performance
10. Gains in quality and productivity
11. Savings from fewer workdays lost and lower insurance bills
12. Less expensive than an internal compliance program
13. Better relationships among workers, trade unions, companies, customers, NGOs
and government

14. Clear, credible information for those who want to make ethical purchasng
decisions
15. Useful data for socially responsible investors
16. Identification of products made under humane conditions
17. Identification of companies making progress toward humane conditions
18. Broad coverage of product categories and production geography

Why to implement SA8000

To differentiate and offer value to customers.

Driven by commitment to provide safe workplaces.

Set a global standard that complies with all local laws and customs.