Content updated on 1st February 2024
From 12th February, GC will be visited by our external auditors, Approachable Certification, who'll spend the week carrying out an ISO re-certification audit.
Retaining ISO certification is essential for GC as it allows us to demonstrate to all of our stakeholders, including funders and commissioners, the high standards that we continually work to across all three areas we are being audited against:
- Quality - ISO 9001
- Data & Cyber Security - ISO 27001
- Environmental - ISO 14001
In addition to Lee House, the auditors have selected several sites that they'll visit as part of the audit process. It's important that we all support one another to remain vigilant and alert to the requirements of ISO at all times in line with GC’s values of 'Doing the Right Thing' and 'Stronger Together'.
As we approach the audit, there are several important things we can all do to ensure we remain compliant with the ISO requirements:
Refresh yourself on our key policies and procedures
There are some key policies and procedures that all colleagues must be aware of – the main folders where these are located are included below, along with links to incident reporting forms.
Please familiarise yourself with both the Environmental Policy and the Quality and Information Security Policy in advance of the audit, as these govern our day-to-day operations to ensure quality, information security and environmental management is fully embedded across GC.
The Integrated Management Systems Manual (IMSM) details how GC meets all 3 standards – by integrating the combined Quality Management Systems (QMS), Information Security Management Systems (ISMS) and Environmental Management Systems (EMS).
In addition to the SharePoint folder locations, we’ve also included some reminders of the areas of good practice that GC work to, which’ll help us all be mindful in conducting ourselves in the right way when the auditors observe us at work:
|
GC Complaints Policy – Customer |
|
|
GC Environmental Policy |
|
|
GDPR Checklist and Toolkits |
|
|
Incident Reporting |
Data Breach Reporting Form Incident Reporting Form (Safety, Health & Environment) |
|
Electrical and Confidential Waste Disposal Policy |
Some important reminders to ensure we remain compliant with the ISO requirements
|
|
Laptops must be locked if you’re away from your desk, and personal belongings should be stored away securely. Passwords mustn’t be written down or shared with anyone. |
|
|
PCs used by customers must be frequently checked to ensure no personal information has been saved to the hard drive – including the desktop, recycle bin and downloads folder. If documents are found here, they must be deleted immediately. |
|
|
Confidential waste – documents with personal or confidential information must be disposed of in the confidential waste bins – which must be secure, not overflowing and emptied regularly. |
|
|
Waste control – Ensure the relevant waste streams (general waste and re-cycling) have been separated appropriately and clear bin bags are used. Have regular, secure disposal of redundant IT equipment. All sites must regularly upload their waste transfer notes, hazardous waste consignment notes and certificates of destruction in the relevant site folder (This is also a legal requirement). |
|
|
Clear desks – No documentation should be left on desks unattended, or around the general office space, e.g. photocopiers, reception, kitchen, etc. Our participants should also be reminded to keep their belongings (inc. any documents containing their personal information) with them at all times and not left unattended on desks/in another room. |
|
|
PCs and laptops should have visible external asset tags. Asset numbers / identifiers can also be located by typing ‘About’ into the search tool on the task bar (bottom of the screen) and selecting ‘About your PC’. |
|
|
Cabinets containing personal information must be locked when not in use, or be free from all types of personal data. Keys must never be left in cabinets or lockers. |
|
|
Access control: site – badges should be worn at all times by colleagues and visitors (who must also sign in). Doors should be locked behind you when entering through, and tailgating must be challenged in a professional and courteous manner if you see it taking place. CCTV signage should be displayed if in use. |
|
|
Access control: systems – colleagues should have adequate access to systems to carry out their duties, with access to confidential information strictly limited to those who need it. Colleagues who’ve left the organisation must always have access revoked on (or before) their last day of service. |
|
|
Mandatory Training – All mandatory training allocated to your individual training record on PAL should be completed at the earliest opportunity. Speak to your line manager about allocating appropriate time to schedule this in. Make sure you’ve completed the three mandatory training modules assigned in January: Modern Slavery, Fraud & Bribery and Customer Complaints. |
|
|
Customer feedback – ISO 9001 also focuses on customer satisfaction, which is something we undertake at every stage of a customer journey – whenever, wherever and however they interact with GC services. Give consideration as to how you process customer feedback (positive and negative) to ensure satisfaction within your own area of responsibility. |
|
|
Site: Energy management – Lights should be turned off and natural light utilised to illuminate rooms. Equipment should be switched off when not in use. Heating should be set to a maximum of 19o C and meter readings should be up to date. TRV’s should be set to a maximum of 3. |
|
|
Site: Health & Safety – Hazardous chemical/substances should be correctly stored, with data sheets available, and teams aware of correct disposal methods. Electrical equipment should be PAT tested to ensure it’s safe and fit for purpose. Fire extinguishers and alarms must be tested and in correct working order with risk assessments completed. 1st aid kits and details of first aiders available and visible. |
