Checklist of ISO 22301 Mandatory Documentation

SANTA FE CORPORATE MANUAL
CORPORATE MANUAL
Ref. No. - QM000004 Page: 1 of 68

Iss. Rev. – 1.6 Date: 01 Sept 10
COMPANY QUALITY POLICY
Santa Fe strives to be the market leader in the quality of the

services which we provide.
We seek to achieve consistent quality services that meet or

exceed our customers needs or expectations.
We shall foster teamwork with the objective of continuously

improving the quality of our services to minimise loss or
damage.
We continuously work to control and improve our

performance towards reducing occupational health and safety
risks to our employees.
The resulting benefits shall be shared with our customers, our

employees, and our suppliers.
Ref. No. - QM000004 Page: 2 of 68

COMPANY ENVIRONMENTAL POLICY
Santa Fe shall continuously work to reduce, and where

possible, eliminate any negative impact on the environment
which may be caused through the course of running the
business. This policy will be monitored and administered
through a dedicated program which is externally audited on a
regular basis.
We will comply with local government environmental

legislation and regulations, as well as strive to prevent
pollution, to utilize energy and resources effectively and to
reduce and dispose of waste products in a responsible manner.
We offer products and services which have minimal
environmental impact and give maximum consideration to
safety.
Through environmental education, we strive to raise awareness

of all our employees in order to develop a social viewpoint that
enables them to conduct environmental activities under their
own responsibility.
We promote actively 4Rs, Reduce, Recycle, Reuse and

Replace.
Ref. No. - QM000004 Page: 3 of 68

COMPANY INFORMATION SECURITY

POLICY
Santa Fe strives to protect company and customer

information and related assets from all threats. At all times the
cost effectiveness and fitness for purpose of countermeasures
shall be considered.
We ensure business continuity and minimise business damage

to customer and ourselves by complying with all applicable
legal and legislative regulations as well as minimising the
impact of security incidents, breakdown of business process
and where possible, preventing their occurrence.
Through information security education and training, we strive

to increase awareness of all our employees in order to protect
the company and customer information and assets.
We shall foster teamwork and continuously improve to ensure

information and related assets can achieve the principles of
Confidentiality, Availability and Integrity.
Ref. No. - QM000004 Page: 4 of 68

COMPANY CORPORATE SOCIAL

RESPONSIBILITY POLICY
Respect everyone, care for the environment and proper behavior

are integrated in the Santa Fe culture.
People
We pledge to continuously monitor our governance system to
ensure compliance with basic human rights within our
organization and with those whom we interact - UN Global
Compact Principles 1-6
Planet
We pledge to reduce the negative impact of our business on the
environment, meet or exceed regulatory requirements and
continuously seek to improve our process to achieve higher
standards – UN Global Compact Principles 7-9
Profit
We apply a zero tolerance approach with respect to corruption,
extortion and bribery. We will continuously identify ways of
maximizing the positive impact of our business operations where
we have special skills, products or services to make a difference
in the communities where we live and work – UN Global
Compact Principle 10
Ref. No. - QM000004 Page: 5 of 68

REVISION HISTORY
QM000001’s issue/revision was 0 to 2.1, while last version was dated 98 Jan 31.
QM000002’s issue/revision was 0 to 3.1, while last version was dated 02 Aug 26.
QM000003’s issue/revision was 0 to 1.2, while last version was dated 06 Jan 20.
Iss. Rev. Description Page Effective Date
0 Initial draft All (38) 07 Jul 12
1.0 First Release: ISO 27001:2005 (RL + RM) All (62) 07 Sep 10
1.1 ISMS Policy, ‘Restricted’ & compliance All (62) 07 Nov 19
1.2 Scope, new stations 12-14 08 Jan 22
1.3 Mission, Vision 8-10 08 Jul 07
1.4 Review ISMS Policy 45-63 08 Aug 20
1.5 Privacy Policy; Wireless; ISO9001:2008 All 09 Sep 03
1.6 CSR; GC All 10 Apr 09
DISTRIBUTION LIST
COPY # TITLE OF HOLDERS

1 CONTROLLED COPY HOLDERS
* Hard Copy Management Representative
HK office: Computer Server System (Server) or assigned computer /

floppy disk
* Electronic Within SF Group: update local M.R. / station head by email
Copy
2 UNCONTROLLED COPY HOLDERS

All other holders except the above mentioned. Those copies are for
reference only. Any amendment should be referred directly to the
controlled copy.
NAME SIGNATURE Date Control Stamp

Integrated By:
Monica Sirait 01 Sept 10
** Original Approval **
Jason Will 01 Sept 10

(Managing Director)
Monica Sirait 01 Sept 10

(Management Representative)
Ref. No. - QM000004 Page: 6 of 68

TABLE OF CONTENTS
FORWARD DESCRIPTION Page
I Cover Page 1
II Company Quality Policy 2
III Company Environmental Policy 3
IV Company Information Security Policy 4
V Company Corporate Social Responsibility Policy 5
VI Revision History 6
VII Table of Contents 7
SECTION DESCRIPTION Page

1. Introduction 9
1.1. Our Goals 9
1.2. Our Vision, Mission and Value 9
1.3. Our Motto 10
1.4. Working for Sana Fe 12
1.5. Santa Fe in Hong Kong and Asia 13
2. Purpose 14
3. Scope 15
4. Management System Requirements 16
4.1. General Requirements 16
4.2. Documentation requirements 17
4.3. Planning for EMS 21
5. Management responsibility 22
5.1. Management Commitment 22
5.2. Customer Focus 22
5.3. Company Quality Policy, Company Environmental 23
Policy, Company Information Security Policy &
Company CSR Policy
5.4. Planning 24
5.5. Responsibility, Authority and Communication 24
5.6. Management Review 27
6. Resource Management 27
6.1. Provision of resources 27
6.2. Human Resources 28
6.3. Infrastructure 29
6.4. Work Environment 29
Ref. No. - QM000004 Page: 7 of 68

7. Product Realization 30
7.1. Planning of product realization 30
7.2.. Customer-related processes 31
7.3. Design and Development 32
7.4. Purchasing 32
7.5. Production and Service Provision 33
7.6. Control of Monitoring and Measuring Devices 35
8. Measurement, Analysis and Improvement 35
8.1. General 35
8.2. Monitoring and measurement 36
8.3. Control of Nonconforming Product 38
8.4. Analysis of Data 38
8.5. Improvement 39
SECTION DESCRIPTION Page

- ISO9001:2008 Matrix 41
- ISO14001:2004 Matrix 43
ISO27001:2005 Matrix 45
ISMS Policy 48
Ref. No. - QM000004 Page: 8 of 68

1. INTRODUCTION
SANTA FE TRANSPORT INTERNATIONAL LIMITED is a subsidiary of the

East Asiatic Company Ltd. A/S with Santa Fe Hong Kong as the head office, and
local offices widespread in Asia and the Mainland China.
The Company is engaged in international and domestic moving service of

household goods, office relocation, relocations and record management. When
required it is able to provide additional features (i.e. hoisting, electrical
installation, etc.) through the use of sub-contracted suppliers of known and
controlled quality.
1.1. OUR GOALS
At Santa Fe, we strive to be the best in our field. In fact, the pursuit of excellence
is at the very heart of our corporate culture.
This manual is to help our staff to do the best job they can: for the good of the
company and for the betterment of their careers. These two goals are inextricably
linked. A company can only do well if its people do well; and you will only be
successful if the company you work for is successful.
The guidelines of this manual are the result of years of experience from leading
people’s pursuit for quality in service or product. This will lead to a better and
more satisfying career for our staff in a successful working environment, and a
more productive future for our Company.
1.2. OUR VISION, MISSION AND VALUES
1.2.1 Our Vision:
“Deliver sustainable value through innovation.”
• We expand our geographic coverage to remain an attractive supplier of

moving, relocation and records management services
• We engage more directly with our corporate clients and customers to
better provide service and support
• We continue to develop the business based on agents and partners
• We help customers fulfil their commitment to social, environmental and
economic sustainability by operating in a way that respects and
contributes to positive development for people, planet and profit.
Ref. No. - QM000004 Page: 9 of 68
• We envision responsible moving and relocation services with no negative

impact on the environment.
1.2.2 Our Mission:
“We make it easy.”
• We will make it easy for corporate clients to do business with us

• We will make it easy to move/relocate with us
• We will make it easy for private customers to find us and make business
with us
• We will make it easy for any type of customer to get the services requested
• We will make it easy to continuously contribute to social, environmental
and economic sustainability based on our business model, competencies,
innovation and technology
1.2.3 Our Values:
“Quality, Efficiency , and People.”
• We will have the highest quality standards in the industry

• We will attract, develop and retain the best people in the industry
• We will offer equal, attractive and flexible career opportunities
1.3. OUR MOTTO
At Santa Fe there are three aspects of our Company that will make us stand out
from the rest and help us rise above the usual.
These are described by three words that, together, form our motto:
“Quality - Efficiency - People”
The link between these three words is our basic standpoint in business. No part
of our activities is carried out without them, and every project of every business
unit must have what these words represent.
1.3.1. QUALITY
Quality should be present in everything we do. In the pursuit of excellence,

quality is indispensable. In delivering quality, it gives us success, a sense of
pride, and satisfaction in our service.
Ref. No. - QM000004 Page: 10 of 68

The following will help us to achieve quality and environmental management

goals in your work:
1) We think quality and service at all times.

2) We are customer driven. Our goal is total customer satisfaction,
which leads to repeat business.
3) We identify customer needs and satisfy them better than the
competition.
4) We combine the best quality with the best service and value, to make
Santa Fe the best choice for our customers and our business partners.
5) We continuously monitor our services in the market place to ensure
customer and consumer satisfaction.
6) We consider quality service to be a dynamic process that can always
be improved upon.
7) We strive to fulfill the health, safety, and environmental requirements.
1.3.2 EFFICIENCY
Efficiency is something everyone should strive for, because apart from making a
company more profitable and our lives easier, it impresses our customers and our
business partners.
To gain maximum efficiency, we must make our assets work for us to their
maximum productivity and minimum waste.
This is what we will always keep in mind in our daily work:
1) We are always looking for ways to improve the efficiency of our

work.
2) We believe in self-discipline. A disciplined mind and behavior
promotes efficiency, good human relations and high productivity.
3) We can only achieve continuous efficiency when everybody works as
a team towards common company goals.
4) We must aim to solve problems better and more efficiently than our
competitors, and wherever possible, turn a problem into an opportunity.
1.3.3 PEOPLE
People are our most valuable asset. A company is judged by its people and how
they present themselves and carry out their duties.
So we place the highest priority on recruiting, training, and developing

employees who will become the very best in the market place.
Ref. No. - QM000004 Page: 11 of 68

The following is how we seek to achieve this:
1) We need talented, hard-working, and enterprising people.

2) We are committed to job advancement through training designed
around individual needs.
3) We endeavor to transfer skills across national borders.
4) We understand and practice performance evaluations and rewards.
5) We want employees to know what is expected of them by providing
precise job descriptions.
6) We assess staff regularly on their actual achievements.
7) We recognize and reward outstanding performance.
8) We value freedom at work but insist on set standards of performance
and targets.
9) All staff in Santa Fe have customer and market orientation, and see
our jobs as an important marketing element.
10) We respect data privacy & confidentiality.
1.4. WORKING FOR SANTA FE
Santa Fe believes in an open management style, which stimulates the individual’s

sense of participation, and develops a high degree of accountability and
responsibility.
We understand that not all employees are the same. Each has his/her own way of
thinking and is motivated in different ways. Talents vary from the creative to the
technical. And of course, everyone has his or her own unique personality.
So we don’t except every member of staff to operate and react in exactly the same
way.
But there has to be a degree of uniformity in our procedures and systems,

otherwise there would be chaos. That’s why we put great emphasis on training,
and why every one must follow the spirit of our motto: Quality - Efficiency -
People.
Once these basic principles are taken, our people will find a high degree of
freedom at Santa Fe. Their talents will be recognized and their performance
rewarded.
Ref. No. - QM000004 Page: 12 of 68

We value our people very highly at Santa Fe. We endeavor to provide a working
environment and the right incentives for people to become the best they can.
The qualities we look for in people are:

1) Honesty
2) Loyalty
3) Entrepreneurship
4) Professionalism
5) Diligence
6) Aggressiveness
7) Dedication
8) Initiative
9) Team Spirit
1.5. SANTA FE IN HONG KONG AND ASIA
Under the Santa Fe brand, EAC Moving & Relocation Services provide office,
local, domestic and international household goods moving services and a wide
range of relocation services. Records management services are provided in
Beijing, Guangzhou, Hong Kong, Jakarta, Macau, Malaysia, Manila, Singapore
and Shanghai.
Based in Asia, EAC Moving & Relocation Services continuously expanded its
operations throughout the region over the past 27 years. Currently, the business
covers operations in China, Hong Kong, India, Indonesia, Japan, Macau,
Malaysia, Manila, Singapore, South Korea, Taiwan, Thailand and Vietnam.
Services are provided to customers moving from or to other areas of the world
through relocation partners within the OMNI, FIDI and ERC networks. EAC
Moving & Relocation Services handles in excess of 26,000 relocations around
the world annually.
A key value driver for EAC Moving & Relocation Services is its high-margin
value-added relocation services, offering corporations a full range of services,
including immigration/visa, home/school search, language/cultural training,
tenancy management, financial management services and moving services. The
records management business holds an attractive growth and earnings potential as
the commercial centres across Asia continue to grow.
Ref. No. - QM000004 Page: 13 of 68

Presently, Santa Fe Group is widespread in:
• Hong Kong: Santa Fe Transport International Ltd

• Indonesia: PT. Santa Fe Indonusa -- HHGs, Records Management, Office
Moving
PT. Relokasi Jaya -- Relocation Services
• Japan: Santa Fe, Inc.
• Malaysia: Santa Fe Relocation Services Sdn. Bhd.
• Philippines: Santa Fe Moving & Relocation Services Philippines, Inc.
• PRC: Sino Santa Fe International Transportation services Co. Ltd.
Sino Santa Fe Real Estate (Beijing) Co Ltd – Relocations
Services
• Singapore: Santa Fe Relocation Services (S) Pte. Ltd.
• Thailand: Santa Fe (Thailand) Co., Ltd.
• Korea: Santa Fe Relocation Services Korea Co. Ltd.
• Taiwan: Santa Fe Relocation Services Taiwan Co. Ltd.
• Vietnam: Santa Fe JSC/ Santa Fe Relocation Services – Vietnam
• Macau: Santa Fe Relocation Services
• India: Santa Fe / IKAN Relocation Services
Our business commitment, however, remain simple: meet our customers’ needs
with a high service level, at the right price and in the time specified.
2. PURPOSE
This manual outlines the overall Company Quality Policy, Company

Environmental Policy, Company Information Security Policy and Company
Corporate Social Responsibility Policy of SANTA FE TRANSPORT
INTERNATIONAL LIMITED (SF) and its management’s responsibilities
towards quality, environment and information security. It also covers those areas
and activities that maybe directly or indirectly affected by the overall quality of
its services.
Ref. No. - QM000004 Page: 14 of 68

The manual also describes the management system that is applied and maintained
to provide the Company’s customers with consistent quality service. This manual
maybe made available to customers seeking evidence about our ability to meet
their quality requirements.
The Corporate Manual is in conjunction with its supporting company procedures

that cover the total spectrum of the Company’s quality practices. Also, this
Corporate Manual links with local Quality Manual, Company Procedures, Work
Instructions and/or Environmental Procedures.
The Company Quality Policy, Company Environmental Policy, Company

Information Security Policy and Company Corporate Social Responsibility Policy
described in this manual is designed to comply with the ISO9001, ISO14001,
ISO27001, FAIM and United Nations Global Compact/UNGC (Corporate Social
Responsibility or CSR) requirements. The sections and sub-sections in the
ISO9001, ISO14001, ISO27001, FAIM and UNGC are also incorporated into
this document.
3. SCOPE
The Management System described in this document covers all operations in SF

Group that involves the following scopes:
• Provision of Relocations Services, Household Moving, Office Moving,
and associated Storage Services.
• Provision of Records Management Services.
• Protection of Customer Data and Property for Relocations Services,
Records Management Services, Household Moving, Office Moving and
associated Storage Services.
• Well follow corporate social responsibility.
The organization structure of SF Group consists parts of the Moving &

Relocation team (HHG), Operations & Logistics team (OPS), Records
Management team (RM), Personnel Department, General Administration and
Finance/ Accounts Division.
The HHG in SFHK consists of the Traffic, Customer Service, Sales & Marketing
House Doctor service, Relocation service, Corporate service and Administration
Departments. The OPS is completely involved in the scope of the Management
System, except FCO businesses. The RM in the scope of the Management
System includes Sales, customer service and Operations Services. For the
organization structure of the Finance/Accounts Division only the Accounts
Ref. No. - QM000004 Page: 15 of 68

Payable, Accounts Receivable for HHG & RM are consisted in the scope of the
Management System.
The Corporate Manual applies to all specified removal of household goods,

office equipment services, house doctor service, relocation service and records
management service that are provided by the SF HK to satisfy the needs of its
customers, in the accordance to the requirements of ISO9001, ISO14001,
ISO27001 for quality and information assurance in Production, Installation,
Services and environmental management along with FAIM.
Local offices may operationally vary from each other, the details is defined in
local quality manual.
4. MANAGEMENT SYSTEM REQUIREMENTS
4.1. GENERAL REQUIREMENTS
Quality Management System (QMS), Environmental Management System (EMS),

Information Security Management System (ISMS), FAIM quality standards
(FAIM) and United Nations Global Compact (UNGC) combined to form
Management System (MS). Quality in broad sense applies to process quality,
environmental quality, information security quality and UNGC quality. The
Management System shall be implemented, established, documented, and
maintained in a way that the Company’s service satisfies the customer’s
expectations and conforms to specified requirements of this manual and its
policy.
CORPORATE
MANUAL
COMPANY PROCEDURES/
ISMS CP
WORK INSTRUCTIONS /
ENVIRONMENTAL PROCEDURES
Figure : Structure of the Management System in Santa Fe.
Ref. No. - QM000004 Page: 16 of 68

4.2. DOCUMENTATION REQUIREMENTS
4.2.1. GENERAL
Santa Fe shall document, implement, and maintain procedures that comply with
ISO9001, ISO14001, ISO27001, FAIM & UNGC standards and the stated
Company Quality Policy, Company Environmental Policy, Company Information
Security Policy and Company Corporate Social Responsibility Policy in this
manual.
Company Procedures shall be controlled documents of the Company that expand

and support the Corporate Manual, detailing the methods, controls, verification,
and records used by the staff in the performance of their duties.
Work Instructions, Environmental Procedures, shall detail the implementation of

the company procedures, which are related to specific services, processes,
environmental or information security issue. These instructions shall usually be
located in relevant working area for easy reference.
In applying the provisions of the Management System to the activities associated

with a given contract from a customer, the order of precedence shall be the
Contract, the Corporate Manual and the Procedures in the event of conflicting
requirements.
1
4.2.2. QUALITY MANUAL
The Management System (MS) of the Company shall be defined in a series of

related documents. The documentation is identified in three basic levels -
Corporate Manual (CM)/Quality Manual, Company Procedures (including
information security company procedures) and Work Instructions/ Environmental
Procedures.
The aim of Santa Fe’s management shall be to have the MS fully assessed to
ISO9001 (Quality Management Systems), ISO14001 (Environmental
management systems), ISO27001 (Information Security Management System),
FAIM and along with UNGC requirements. The maintenance of the MS shall be
achieved through the Internal Quality, EMS, ISMS & FAIM Audits.
1
Local offices name the top-level document as Quality Manual. SFHK renamed its Quality
Manual to Corporate Manual in 2003, for linking up operations system among the SF Group.
Ref. No. - QM000004 Page: 17 of 68

The CM shall provide an adequate description of the management system, while

serving as a permanent reference in the implementation and maintenance of that
system. The CM shall be the working document which details the organization,
responsibilities and control of all functions related to quality, environmental and
information security in the Company.
In the absence of other contractual project specific control or quality plans, the
Corporate Manual shall constitute the Quality Plans, which together with all
mandatory procedures shall meet the requirements of ISO9001, ISO14001,
ISO27001 and FAIM.
In short, the business flows for HHG & RM theoretically start from customer
enquiry, service process to job completion. Due to complexity on type of
business, the sequence and interaction between the processes of the QMS has
been described as the flowcharts, and stated on Company Procedure – Process
Control.
See Company Procedure - Process Control / CP000901
Ref. No. - QM000004 Page: 18 of 68

Continual improvement of the quality

management system
Mgt
responsibility
Customers
Customers
Requirements Measurement,
Resource Satisfaction
analysis &
mgt improvement
Input Product Output

realization Product
Customer Enquiry Service Process Job Completion
Key
Value-adding activities
Information flow
Figure: Model of a process-based quality management system
Ref. No. - QM000004 Page: 19 of 68

4.2.3. CONTROL OF DOCUMENTS
The M.R. shall have a master list of all company procedures. They shall be
controlled by fulfilling the requirements of ISO9001, ISO14001, ISO27001,
FAIM & UNGC.
The M.R. shall review regularly the Corporate Manual to ensure suitability and
effectiveness in satisfying the Quality System and requirements of ISO9001,
ISO14001, ISO27001, FAIM and UNGC. This review shall be documented and
maintained. The result of this review shall include the updating or re-approval of
Company’s Quality/Environmental/ Information Security Objectives for the next
scheduled review.
Each Department Head shall be responsible for updating its own department’s
procedures, specifications, drawing, document distribution lists, and master lists.
All controlled documents should be clearly stated its status. Pertinent issues shall
be located in the relevant working area.
Changes to quality, environmental and information security related documents

shall be checked, authorized and implemented in accordance with the Document
Control Company Procedure. The reason for the change shall be identified and
documented with pertinent background information. Obsolete document and data
shall be removed from the area.
All documents and information shall be classified based on the criticality and
sensitivity of the nature. Labeling and handling requirements shall be followed
according to different classification
See Company Procedure - Document Control / CP000501

Information Classification, Labeling and Handling / CPICAH01
4.2.4. CONTROL OF QUALITY RECORDS
SANTA FE shall provide effective identification, collection, maintenance, filing,

storage, and disposal of key records.
The Company shall retain comprehensive records of all quality, environmental

and information security related activities in a master list. These records shall
include:
1) Specific project customers’ contract and contract review records

2) Records of customer complaints and corrective action
Ref. No. - QM000004 Page: 20 of 68
3) Internal Quality/EMS/ ISMS Audits Reports

4) Job files
5) Key Operation records
6) Training Records
7) Corrective Action Review Reports
8) Minutes of Management Review Meeting
The above records shall be retained for a minimum period of one year or longer if
required or regulatory requirements except for training record will be kept in the
office as long as the employee exist and specific project customer’s contract kept
in the office as long as the contract valid. Availability of these records to the
customer shall be provided.
Records shall be easily accessible and stored in a suitable and secure location to
prevent damage, loss, and deterioration. Records originating from each
department shall be legible, kept above other records in a manner that any
information can be easily retrieved, and maintained by the appropriate department
heads. When documents exceed their required retention period, they can be
disposed as per the department head’s instruction.
Certain records shall be held on computer along with back-up routines.
See Company Procedure – Quality Record/ CP001601
4.3. PLANNING FOR ENVIRONMENTAL MANAGEMENT SYSTEM
Environmental Management System (EMS) includes organizational structure,

planning activities, responsibilities, practices, procedures, processes and
resources for developing, implementing, achieving reviewing and maintaining the
environmental policy.
Environmental objective is the overall environmental goal include environmental

management and protection, arising from the environmental policy, that we sets
ourselves to achieve, and which is quantified where practicable.
Environmental target is the detailed performance requirement, quantified where

practicable, applicable to us or parts thereof, that arises from the environmental
objectives and that needs to be set and met in order to achieve those objectives.
4.4 PLANNING FOR INFORMATION SECURITY MANAGEEMNT

SYSTEM
Ref. No. - QM000004 Page: 21 of 68

Information Security Management System (ISMS) includes organizational

structure, planning activities, responsibilities, practices, policies, procedures,
processes and resource for establishing, implementing, monitoring and
improvement the overall maturity of the Information Security Management
System
Information security objective is the overall information security goal include

information security management and protection, arising from the information
policy, that we sets ourselves to achieve, and which is quantified where
practicable.
Information target is the detailed performance requirement, quantified where

practicable, applicable to us or parts thereof, that arises from the information
objectives and that needs to be set and met in order to achieve those objectives.
5. MANAGEMENT RESPONSIBILITY
5.1. MANAGEMENT COMMITMENT
The Company Quality Policy, Company Environmental Policy, Company

Information Security Policy and Company Corporate Social Responsibility Policy
contained in pages of this manual defines Santa Fe’s commitment to quality,
environmental and information security management system, and is authorized by
the CEO who shall have executive responsibility for the control of the
organization and its QMS, EMS, ISMS, FAIM and UNGC.
5.2. CUSTOMER FOCUS
The tender, contract, or order shall be reviewed to ensure that the customer
requirements are adequately defined and documented in terms of:
1) Scope of work.
2) Special requirements (if applicable).
3) Regulatory requirements.
4) Quality requirements.
5) Security requirements (if applicable)
6) Delivery dates.
7) Price for the service.
In applying the provisions of the Quality and Information Security Management

System to the activities associated with a given contract from a customer, the
Ref. No. - QM000004 Page: 22 of 68
order of precedence shall be the Contract, the Corporate Manual and the
Procedures in the event of conflicting requirements. (related with 7.2.1, 7.2.2 and
8.2.1)
5.2.1. ENVIRONMENTAL ASPECTS
Environmental aspect is an element of the organization’s activities,

products, or services that can have a significant environmental
impact. The organization shall establish, implement and maintain a
procedure to identify environmental aspects of its activities, products
or services.
See Environmental Procedure – Environmental Aspects/ EP040302
The company shall decide which purchased goods or services have a

significant environmental aspect and evaluate the supplier’s or
subcontractor’s environmental status or concern.
See Company Procedure – Purchasing/ CP000601

See Environmental Procedure – Indirect Aspect Control/ EP040406
5.2.2. LEGAL AND OTHER REQUIREMENTS
The organization shall comply with all legal and other requirements
that apply to its activities and operations.
The organization shall identify, implement and maintain the

environmental and information security legal requirements
applicable to its activities In Indonesia, this information can be
accessed on the following website:
http://www.bapedal.go.id/publik/peraturan
or
http://www.bppt.go.id/ or http://www.depkominfo.go.id/
The environmental and information security legal and regulatory

requirements shall be provided to those who need to know.
5.3. COMPANY QUALITY POLICY, COMPANY ENVIRONMENTAL

POLICY, COMPANY INFORMATION SECUITY POLICY AND
COMPANY CORPORATE SOCIAL RESPONSIBILITY POLICY
The policies shall be introduced to all staff upon appointment as part of the
introduction process for new employees. Existing staff shall be advised of the
Ref. No. - QM000004 Page: 23 of 68
policies and having a permanent copy on display as directed by the MD.

Environmental Committee and SF Group Information Security Steering
Committee communicate the Policy to persons working on behalf of Santa Fe,
where applicable. The effectiveness of the policy should be continually reviewed
and improved. The policies are available to the public upon request.
5.4. PLANNING
5.4.1. QUALITY, & ENVIRONMENTAL AND INFORMATION

SECURITY OBJECTIVES/ TARGETS
All members of staff shall be committed to achieve total customer satisfaction

through the provision of a Quality Service. Santa Fe’s people shall be able to
demonstrate our ability to provide a Quality Service to customers and staff alike.
In order to achieve total customer satisfaction each department should have their
own quality/environmental/information security objectives/targets. For better
monitoring on continuous improvement, the Objectives should be reviewed
monthly unless where specified.
See Quality Objectives for each department, and Environmental Objectives/

Targets for the Company, and Information Security Objectives / targets for the
Company
5.4.2. MANAGEMENT SYSTEM PLANNING
The combination of the Corporate Manual and Company Procedures, Work

Instructions/ Environmental Procedures and Information Security Policies is the
Company’s quality plan. They shall be used to define in detail how the
QMS/EMS/ISMS/FAIM/UNGC or objectives are to be attained. The specific
allocation of responsibilities and authorities in performing different activities
shall be specified.
See Appendix for Environmental Objectives/Targets / Envi Q O _ Appendix

See Work Instruction – Environmental Management / WIENVI01
5.5. RESPONSIBILITY, AUTHORITY AND COMMUNICATION
5.5.1. RESPONSIBILITY AND AUTHORITY
The responsibility, authority, and interrelationship of all personnel who manage,

perform, and verify work that affects quality shall be defined and maintained in
Ref. No. - QM000004 Page: 24 of 68

an Organization Chart and Job Description for all major functions within the
Company.
All employees shall receive the most recent copy of their own Job Description.
Personnel shall maintain all Job Descriptions for all HK Santa Fe employees, as
well as the Group organization chart in the SF Group. Local offices shall keep
and maintain the local organization chart and Job Descriptions properly; update
monthly SFHK Personnel team the local organization chart.
See Company Procedure – Management Responsibility/ CP000101
5.5.2. MANAGEMENT REPRESENTATIVE
The MD has created a position known as Management Representative (M.R.)

under the Human Resource Department of Group function to maintain the
Quality System. The M.R. shall establish, implement and maintain the Quality
System. The performance of the system shall be reported to management for
quality improvement review.
The M.R. shall be given the necessary authority and responsibility to ensure the
operation’s effectiveness in performing its QMS, EMS, ISMS, FAIM and UNGC
meeting the requirements of ISO9001, ISO14001, ISO27001, FAIM & UNGC
requirements. M.R. shall prepare and implement the internal audit program,
initiate corrective actions, and provide QMS/EMS/ISMS data for management
review.
Each local Management has assigned M.R. for the local office, with given
necessary authority and responsibility to ensure the operation’s effectiveness.
5.5.3. ENVIRONMENTAL COMMITTEE
Management shall provide resources essential to the implementation and control

of the environmental management system. Resources include human resources
and specialized skills, technology and financial resources.
Management has set up Environmental Committee to facilitate effective

environmental management for SF Indonesia. The Environmental Committee
consists of, but not limited to MD, M.R., Financial Controller, System
Administrator ,Manager of OPS, HR Manager & Administration Manager, and
Managing Director/HHG & RM.
Ref. No. - QM000004 Page: 25 of 68

Environmental Committee
MD
Management
Representative
HR & Admin Whs & Operation All Department Head

Manager Manager
5.5.4. INFORMATION SECURITY MANAGER
The CEO has created a position known as Information Security Manager (ISM)
to maintain the Information Security Management System. The ISM shall
establish, implement and maintain the Information Security Management System.
The performance of the system shall be reported to management for information
security improvement review.
The ISM shall be given the necessary authority and responsibility to ensure the
operation’s effectiveness in performing ISO27001 requirements.
Deputy ISM shall prepare and implement the internal audit program, initiate
corrective actions, and provide QMS/EMS/ISMS data for management review.
Each local Management has assigned ISM for the local office, with given
necessary authority and responsibility to ensure the operation’s effectiveness.
SF Group Information Security Steering Committee composes CEO, MIS

Manager, Group Manager of Relocation Services, station in-charge and MD &
Management Representative, in head office.
Information Security Working Team of HK head office composes of MD, MIS

Manager, Information Security Manager, Deputy Information Security Manager,
Financial Controller, Senior Personnel Officer, Relocation Services Manager,
Senior Operations Manager and Sales of Marketing Manager and Administration
Manager. MD is appointed as “Information Security Manager” who is fully
responsible for all related information security activities and initiatives.
Management Representative is also appointed as Deputy Information Security
Ref. No. - QM000004 Page: 26 of 68
Manager, to assist him / her formulation and execution of the information

security related activities.
5.5.5. COMMUNICATION
Management should communicate the Company Quality Policy, Company

Environmental Policy, Company Information Security Policy, and Company
Corporate Social Responsibility Policy, Quality/ Environmental / Information
Security Objectives/ Targets and the accomplishments in an effective way to all
employees. It is important to make sure that they understand and directly
involved in the improvement of the organization’s performance and achievement
of quality/environmental / information security objectives and targets.
See Environmental Procedure - Communications / EP040403
5.6. MANAGEMENT REVIEW
See Company Procedure - Management Review / CP000131
5.6.1. GENERAL
The MD along with the M.R. and other selected functional heads shall review
regularly the Corporate Manual to ensure suitability and effectiveness in
satisfying the Quality System and requirements of ISO9001, ISO14001,
ISO27001 and FAIM. This review shall be documented and maintained.
5.6.2. REVIEW INPUT
5.6.3. REVIEW OUTPUT
6. RESOURCE MANAGEMENT
6.1. PROVISION OF RESOURCES
The Department Managers shall be responsible for identifying and providing

equipment, facilities, and adequate resources. Verification activities shall require
qualified personnel with adequate training.
Ref. No. - QM000004 Page: 27 of 68
Management System Audits shall be performed by suitably independent

personnel. Any required training needs shall be provided and referenced in the
individual’s training record.
6.2. HUMAN RESOURCES
6.2.1. GENERAL
The Company believes that the greater contribution in quality performance by its
employees and the Company Quality Policy, Company Environmental Policy,
Company Information Security Policy and Company Corporate Social
Responsibility Policy may only be achieved through a properly trained and
skilled work force monitored by individual divisions/departments.
6.2.2. COMPETENCE, TRAINING AND AWARENESS
To ensure that staff training and development is effective through out the
Company, the Department Managers shall review the training procedures. The
training needs of each individual shall be identified and these needs shall be met
through the provision of the appropriate training.
Extending and advancing the skills of the employees with the purpose of
improving their work satisfaction and getting a flexible work force shall enable
the Company to undertake a wider range of service and management task. The
Department Manager shall provide additional “on-the-job” training, if who deem
necessary. The progress shall be documented from an on-going monitoring and
supervision process.
The Department Managers may recommend special training on any new

techniques, processes, and equipment from either the M.R., or externally by other
professional or accredited bodies. Any external training needs the MD’s
approval and certification of course completion must be passed to Personnel.
Internal auditors shall be trained and certified in-house.
The records of special training shall be retained in the training file relating to the
individual concerned. Records shall be maintained for all training and
development activities.
See Company Procedure - Training / CP001801
Ref. No. - QM000004 Page: 28 of 68

6.3. INFRASTRUCTURE
Santa Fe offers a full range of packing and worldwide moving services. The
Company policy shall ensure that Santa Fe carefully plans out the operation’s
moving sequence and exercise control over all aspects of the removal.
All processes of the operation shall be subjected to controlled conditions by:
1) The provision of and compliance with documented procedures, working

instructions that require all necessary parts of our services to be carried
out.
2) The maintenance of safe and suitable working conditions.
3) The accurate identification and safekeeping of customer effects.
4) The identification and records of all items and staff providing the service
at any point in the operation.
5) The verification of the conformance of items at specified stages in the
operation and verification that service itself meets customer requirements.
6) The maintenance of all equipment used in the provision of the service and
regular calibration of equipment used for measuring purpose and conduct
time synchronization regularly.
7) The safe and effective handling of effects at all stages in the operation.
8) The planning of appropriate and suitable stages in packing the effects
safely.
9) The safe and effective delivery of effects to the customer.
10) The maintenance of appropriate records which provide evidence of
inspections and other aspects of operation control.
11) The conformance to the quality, health, safety and environmental system.
To ensure specific requirements are met when processes cannot be verified until
the customer use, qualified and trained operators shall carry the processes out
with continuous monitoring.
The M.R. shall work in conjunction with other managers that are responsible for
maintaining effective operation control.
6.4. WORK ENVIRONMENT
The management realizes that suitable work environment has a positive influence
on motivation, performance of people in order to enhance the performance of the
organization. Regularly checking for maintenance of safe and suitable working
condition, supporting equipment and other facility are needed.
Ref. No. - QM000004 Page: 29 of 68

6.4.1 Emergency preparedness and response
The management establishes, implements and maintains procedures to identify

potential for and respond to accidents, emergency situations, information security
and business continuity and for preventing and mitigating the environmental and
information security impacts that may be associated with them. The procedures
apply to fire prevention, insurance, theft prevention, pest control, first aid
activities and business interruption.
Santa Fe shall review and revise, where necessary, emergency preparedness and
response procedures, in particular, after the occurrence of accidents or emergency
situations whereas business continuity plan after the breakdown of business
processes. Periodically test such procedures where practicable.
Santa Fe shall review at regular the occupational health & safety procedure.
Where necessary the occupational health & safety procedure shall be amended to
address changes to the activities, service or operating conditions.
See Work Instruction – Occupational Health & Safety/ WISAFE01

See Environmental Procedure – Fire Emergency/ EPSOSE01
See Business Continuity Management / CPBCMT01
7. PRODUCT REALIZATION
7.1. PLANNING OF PRODUCT REALIZATION
These plans shall be consistent with the Management System requirements. To

meet the specific requirements, the following activities shall be considered:
1) Preparation of quality plans for new services and non-conforming

projects.
2) Identification and acquisition of any needed controls, processes,
equipment, tools, resources and skills to attain the required quality.
3) Procedures in production processing, installing,
4) Servicing, inspecting, and testing are compatible along with
documentation.
5) Updating of quality control, inspection and testing techniques, along
with new instrumentation and tools development.
6) Identification of any measurement requirements that is capable of
exceeding the present method, in order to develop for future
expectations.
Ref. No. - QM000004 Page: 30 of 68
7) Identification of verification points to trace services provided.

8) Clarification of acceptable standards to satisfy the quality
requirements.
9) Identification and preparation of quality records.
10) Identification of operations and activities associated with significant
environmental aspects, and in line with the policy, objectives and
targets.
See Company Procedure – Testing & Inspection / CP001001
7.2. CUSTOMER-RELATED PROCESSES
7.2.1. DETERMINATION OF REQUIREMENTS RELATED TO

THE PRODUCT
The contract/quotation shall determine requirement required by the customer or

any additional requirement that determined by the company.
See Work Instruction – Quotation Process
7.2.2. REVIEW OF REQUIREMENTS RELATED TO THE

PRODUCT
The review shall verify the availability of internal capabilities (finance, process,
quality assurance, security requirements, resource availability) and resolvability
of conflicting requirements.
See Company Procedure - Contract Review / CP000301
7.2.3. CUSTOMER COMMUNICATION
An effective arrangement for communicating with customer in relation to the

service, satisfaction, can be arranged by providing brochure, presentation, and
performance reports.
See Work Instruction - Customer Comments and Complaints/ WIHCMT01,

WIRMCM01, WIFFCC01, WIRLCO01 & WIFRCC01
Ref. No. - QM000004 Page: 31 of 68

7.3. DESIGN AND DEVELOPMENT
This sub-clause to be excluded, as it does not apply to the operations.
7.4. PURCHASING
See Company Procedure - Purchasing/ CP000601
7.4.1. PURCHASING PROCESS
Suppliers and sub-contractors selected shall be capable of providing services,

products and/or materials that consistently meet the specified quality
requirements.
New suppliers shall be subjected to appraisals on their capability and quality

control systems. The quality of supplies from suppliers shall be continuously
monitored. Third party risk assessment on accessing Santa Fe’s information
processing facilities and information shall be performed prior to engaging any
activities. Non-disclosure of agreement undertaking shall be signed before
information exchange or access to information processing facilities.
Retention of approved or qualified status by a supplier shall be conditional on an

assessment of the supplier’s ability to maintain a product at the specified level of
product / service agreed by both parties.
The quality of services, materials and parts purchased by Santa Fe from the sub-
contractors in turn affects customer satisfaction. Hence, control of sub-
contractors is essential.
7.4.2. PURCHASING INFORMATION
The necessary information for identification; such as product description,

quantity and delivery date, shall be contained on the ordered product. Authorized
staff shall review and approve purchase order for accuracy. When necessary, the
information about the EMS will be provided to suppliers and contractors.
7.4.3. VERIFICATION OF PURCHASED PRODUCT
The receiving packing material from supplier should be inspected for the quality
and the quantity to make sure the purchased product meets specified purchase
requirements.
Ref. No. - QM000004 Page: 32 of 68
Where Santa Fe or our customer intends to perform verification at the supplier’s

premises, Santa Fe shall arrange the details for the verification.
7.5. PRODUCTION AND SERVICE PROVISION
7.5.1. CONTROL OF PRODUCTION AND SERVICE PROVISION
Santa Fe offers a full range of packing and worldwide moving services. The
Company policy shall ensure that Santa Fe carefully plans out the operation’s
moving sequence and exercise control over all aspects of the removal.
Servicing of the customer once they have received their goods at the required
destination without any claims does not apply in our operation.
We shall provide claims assistance but this procedure follows under Insurance.
7.5.2. VALIDATION OF PROCESSES FOR PRODUCTION AND

SERVICE PROVISION
The contract review procedure and Credit Policy shall be established,

implemented and maintained to ensure the requirements are understood by those
who need to take action, and to ensure the responses are properly coordinated.
Upon receipt of an inquiry, contract, or agreement, prior to commencement of

any work, a review shall ensure that the customer’s requirements are adequately
defined and fully understood. The necessary information shall be available for
preparation and submission of a proposal or a quotation to the customer with the
terms and conditions attached. Processes of production and services shall
conform to the quality, health, safety and environmental system.
Santa Fe shall establish related procedures/work instructions for these processes

including, as applicable
- defined criteria for review and approval of the processes
- approval of equipment and qualification of personnel
- use of specific methods and procedures
- requirements for records, and
- revalidation.
Ref. No. - QM000004 Page: 33 of 68

7.5.3. IDENTIFICATION AND TRACEABILITY
During all stages of the operation, delivery, and installation, the products shall be
identifiable by the job number. Identification of individual products shall be
maintained in documented procedures.
The physical items in the Management System shall be adequately marked by

physical identification (i.e. item and liftvan labels, carton labels, specialized
materials), physical demarcation of a work area, recording of information on a
document, and logging of information on a computer file.
Santa Fe shall ensure traceability of the items through controlling of movement

and recording the movement.
Records in Traffic Department shall show evidences of control, and the source of
supplied items and services. Identification and traceability procedures shall be
effective for investigating any problems so appropriate corrective actions can be
taken.
Santa Fe shall provide a clear identification of customer’s effects to indicate if the

status is conforming or non-conforming through specific markings.
Records of inspections shall be maintained in detail. The physical markings and

labeling of items shall be used after packing and loading.
The handling procedures shall state clearly who has the responsibility for the
inspection of the effects upon delivery to the customer and for the monitoring of
the service provided.
See Company Procedure - Identification & Traceability/CP000801
7.5.4. CUSTOMER PROPERTY
Santa Fe shall ensure verification of all customer’s effect to the customer

description upon receipt. Santa Fe shall ensure all items can be identified at any
stage of the operation. All items shall be carefully stored and maintained whilst
in the Company’s possession and shall follow the defined ISMS Policy and
Information Security procedures. Non-conforming products shall be stored in a
designated area (if necessary), and reported along specified channels of
communication.
Any instances of lost, damaged, stolen goods, or other quality related problems
shall be noted on the relevant document and handled accordingly. The customer
shall be notified and the incident shall be reviewed.
Ref. No. - QM000004 Page: 34 of 68
7.5.5. PRESERVATION OF PRODUCT
All material used in operations shall be handled and stored in such a manner as to
prevent damage or deterioration. All personnel shall be provided the required
training in methods of handling customer’s effects. These techniques shall be
documented in procedures that are accessible by appropriate personnel.
Materials and effects shall be stored in an environment maintained to preserve

Quality and shall be assessed to detect any deterioration. Material receipt /
issuance shall be monitored daily.
The storage of items shall be controlled to ensure that customer’s effects are
identified clearly and secured whilst in the Company’s possession. This control
shall include the appropriate labeling of stored crates, and if possible, individual
cartons shall be checked by a supervisor at the point of receiving and releasing.
Any non-conforming material in storage shall be reviewed, marked and

segregated in accordance with documented procedures.
7.6. CONTROL OF MONITORING AND MEASURING DEVICES
Santa Fe shall maintain an effective control of quality that is related to measuring

equipment. Nominated staff shall be responsible for maintaining a register of all
tools and equipment that are subjected to control.
In order to ensure the accuracy required and known uncertainty, a certified

contractor shall calibrate the relevant items against required standards annually.
Calibration records shall be maintained for evidence of control.
8. MEASUREMENT, ANALYSIS AND IMPROVEMENT
8.1. GENERAL
Santa Fe shall carry out comprehensive quality check at all key stages in the
operation to verify the fulfillment of documented procedures.
Statistical requirements shall be defined to establish and verify operation’s

capability. Statistics shall be analyzed to determine corrective action and records
shall be maintained.
Ref. No. - QM000004 Page: 35 of 68
The organization shall establish and implement procedures to monitor and

measure, on a regular basis, key characteristics of its operations and activities that
could have a significant impact on the environment, and to periodically evaluate
compliance with the relevant environmental legislation and regulations.
8.2. MONITORING AND MEASUREMENT
8.2.1. CUSTOMER SATISFACTION
See Work Instruction - Customer Comments and Complaints/ WIHCMT01,

WIRMCM01, WIFFCC01, WIRLCO01 & WIFRCC01
8.2.2. INTERNAL AUDIT
Internal Audits on QMS/EMS/ISMS/FAIM/UNGC shall be planned to cover all

aspects of the Management System with careful consideration of the frequency in
giving each audit. These audits shall ensure that the Management System is
continuously effective, and its requirement and procedures are being up-dated
and applied in the most efficient manner.
The M.R. shall be responsible to verify whether quality and information security
activities comply with the planned arrangements and to determine the
effectiveness of the QMS/EMS/ISMS/FAIM/UNGC. He shall prepare an internal
quality audit schedule at the beginning of each year.
Internal audit program shall be conducted once a year in all areas to assure
compliance. The schedule shall be based on the importance and priority of the
area being audited. The internal quality auditor shall be responsible for setting
up the auditing schedule.
Appointed auditors shall have no direct responsibility for the function being
audited and shall be given a comprehensive set of procedures relevant to the
department with copies of previous audits reports. Findings from previous audits
in particular areas may increase the frequency of audits for those problem
activities.
The Department Manager shall monitor the implementation of the corrective &
preventive action taken by related parties and shall re-audit the activities
according to the agreed schedule. The details of this action shall be recorded.
The M.R. shall receive the original copies of the Internal Audit Reports for
review and for storage. Periodic review shall be required by the Management
Team.
Ref. No. - QM000004 Page: 36 of 68
All reviews shall be documented and records of these shall be maintained.
See Company Procedure - Internal Quality Audit / CP001701
8.2.3. MONITORING AND MEASUREMENT OF PROCESSES
Inspection of certain item’s inner space, vehicle and equipment, which have been
specified to maintenance, repair, or calibration, shall be required. Monitoring of
service shall be observed by authorized personnel.
All purchased packing material shall be inspected for verification of conformance

with the purchase request.
Records of verification of activities shall be kept to provide evidence of

conformance of items and service, and to ensure the traceability of these items
with the QMS/EMS/ISMS/FAIM/UNGC. Records of evidence that the
environmental requirements are being met shall be kept.
8.2.4. MONITORING AND MEASUREMENT OF PRODUCT
The extent and nature of inspection shall be based on objective evidence at the
customer’s premises and shall be recorded for conformance, damage and
quantities on the packing list and/or job report and/or loading chart (item
checklist) and other related document.
Urgent customer effects shall be positively identified and recorded in order to

confirm the effects’ original state of non-conformity to specified requirements in
the event of a recall or replacement request.
Evidence of conformance shall be determined through final inspection of the

serviced effects which is done upon delivery. An authorized individual shall
carry out verification of activities.
No customer effects shall be dispatched until the proper procedures of inspection

are done.
Ref. No. - QM000004 Page: 37 of 68

8.2.5. MONITORING CORPORATE SCHEME
Local offices carry out ISO activities as usual, to submit key information to HK
office every 6 months. These key information are internal and external quality
audit plan and audit results; management review meeting details; quality and
environmental objectives; customer feedback.
8.3. CONTROL OF NON-CONFORMING PRODUCT
Despite the Company efforts in planning and controlling the operation, non-
conformance may occur. Certain non-conformance may in fact result from
supplier’s or customer’s actions.
All procedures shall ensure that each non-conformance, whether relating to an

aspect of Santa Fe’s service or to a physical item, is identified, investigated and
segregated to prevent from unintended use. In the short-term, the appropriate
action shall be taken to prevent or minimize any short falls in the service
provided to the purchase customer.
The authority for review and disposition of non-conforming product shall either
be reworked to meet specified requirements, accepted with or without repair,
rejected or scrapped.
Whenever possible, the customer should be informed of the details of any non-
conformance during packing / loading / unloading / delivery. Physical records of
non-conformance and the actions taken shall be analyzed to assure whether
further corrective action is needed.
When non-conformance is observed, Santa Fe staff shall initial a discrepancy

report and pass it to his/her manager. The manager shall review and determine
action. The M.R. shall record the incident.
See Company Procedure - Control of Non-Conformity / CP001301
8.4. ANALYSIS OF DATA
Statistical methods, techniques and tools shall be documented to reduce variation

that affects quality.
Ref. No. - QM000004 Page: 38 of 68

Santa Fe shall analyze the trend of customer’s comment, claims, discrepancies

and other data retrieve from each job. The results shall be feedback to the related
department for quality behavior evaluation of each crew.
Necessary monitoring actions of problem sub-contractors maybe taken to reduce

the trend from getting worse.
8.5. IMPROVEMENT
8.5.1. CONTINUAL IMPROVEMENT
The MD along with the M.R. and other selected functional heads shall be
responsible for reviewing the overall effectiveness of the Management System
and its documentation. This group known as the Management Team shall
determine if the overall company quality objectives/ environmental / information
security objectives are being achieved.
8.5.2. CORRECTIVE ACTION
All departments shall be responsible for identifying and recommending timely

effective actions to rectify or eliminate deficiencies of actual or potential non-
conformity found within their area. Proper documentation of any new procedure
shall prevent deficiencies from recurring.
The issue of Corrective Action Report (CAR) may come from the following by
not restricted to them:
1) Customer comments / complaints in Performance Report

2) Agent report
3) Discrepancy report
4) Site visiting report
5) Other internal reports
If the Department Head feels the matter needs farther investigation, the M.R.
shall be informed. The M.R. shall investigate and determine whether Corrective
Action is necessary and initiate a new CAR.
Ref. No. - QM000004 Page: 39 of 68

8.5.3. PREVENTIVE ACTION
The system for preventive action shall detect and eliminate potential causes of
non-conformity or deficiency. Initiation and implementation of preventive
actions shall follow controls documented for effectiveness. Relevant information
on actions taken shall be submitted for management review. The system for
preventive action shall detect and eliminate potential causes of non-conformity or
deficiency, by:
- Management review meeting

- Internal quality audit
- Discrepancy report
- Internal external communication
- Commit to legal regulations and other requirement
- Business plan
See Company Procedure – Corrective Action / CP001401
Ref. No. - QM000004 Page: 40 of 68

ISO9001: 2008 Matrix
ISO9001: 2008 Santa Fe Procedures Ref. No.

4 Quality management Corporate Manual QM000004
system
4.2.3 Control of record Document Control CP000501
4.2.4 Control of records Quality Record CP001601
5 Management Corporate Manual QM000004
responsibility
5.2 Customer focus Corporate Manual QM000004
5.3 Quality Policy Corporate Manual QM000004
5.4 Planning Corporate Manual QM000004
5.4.1 Quality Objectives Process Control CP000901
Quality Objectives -
5.5 Responsibility, Corporate Manual QM000004
authority & Management responsibility CP000101
communication
5.5.3 Internal Corporate Manual QM000004
Communication Communications EP040403
5.6 Management review Management Review CP000131
6 Resource Management Corporate Manual QM000004
6.2.2 Competence, Personnel Activities Process WIPPER01
awareness & training Training CP001801
6.3 Infrastructure Process Control CP000901
6.4 Work environment Process Control CP000901
7 Product realization Corporate Manual QM000004
7.2 Customer-related Contract review CP000301
processes
7.3 Design and Excluded. -
development This clause does not apply to the
operations, as we provide service
only.
7.4 Purchasing Corporate Manual QM000004
Purchasing CP000601
Inspection and Testing CP001001
7.5 Production & service Corporate Manual QM000004
provision Contract Review CP000301
Identification and Traceability CP000801
Process Control CP000901
Inspection and Testing CP001001
Ref. No. - QM000004 Page: 41 of 68

Santa Fe Work Instructions, e.g. Wixxx0x

Dangerous Goods Handling WIFFDG01
Radioactive Substance Handling WIFRAS01
7.5.3 Identification & Corporate Manual QM000004
traceability Identification and Traceability CP000801
Control Process CP000901
Quality Record CP001601
Santa Fe Work Instructions Wixxxx0x
Control of NC CP001301
7.5.4 Customer Property Corporate Manual QM000004
Process Control CP000901
General Packing Service WIOGPS01
Warehouse Process WIOWHS01
7.6 Control of Corporate Manual QM000004
monitoring & measuring Control of NC CP001301
devices General Packing Service WIGPS01
8 Measurement, analysis Corporate Manual QM000004
& improvement
8.2.1 Customer Customer Comments & WIHCMT01
satisfaction complaints WIRMCM01
WIFFCC01
WIRLCO01
WIFRCC01
8.2.2 Internal audit Internal quality audits CP001701
8.2.3 Monitoring & Corporate Manual QM000004
measurement of process
Ref. No. - QM000004 Page: 42 of 68

ISO14001: 2004 Santa Fe Procedures Ref. No.
4.1 General requirements Corporate Manual QM000004

4.2 Environmental policy Corporate Manual QM000004
4.3 Planning Corporate Manual QM000004
4.3.1 Environmental Environmental Aspects EP040301
aspects Environmental Aspects EP040301-
Evaluation Register register
4.3.2 Legal & other Legal & Other Requirements EP040302
requirements Legal and Other Requirements EP040302-
Evaluation Register register
4.3.3 Objectives, targets Environmental Objectives / Envi Q O-x
and programme(s) Targets
Appendix For Environmental Envi Q O _
Objectives / Targets Appendix
4.4 Implementation & Corporate Manual QM000004
operation Environmental Aspects EP040301
Legal & Other Requirements EP040302
Indirect Aspect Control EP040406
4.4.1 Resources, roles, Management Responsibility CP000101
responsibility &
authority
4.4.2 Competence, Training CP001801
training and
awareness Per’l Activities Process WIPPER01
4.4.3 Communication Communications EP040403
4.4.4 Documentation Document Control CP000501
4.4.5 Control of Document Control CP000501
documents
4.4.6 Operational control Indirect Aspect Control EP040406
Evaluation Register & Control EP040406-
Method for Indirect Aspects register
Truck Service WIOTRS01
Waste Management WIWMGT01
Ref. No. - QM000004 Page: 43 of 68

4.4.7 Emergency Fire Emergency EPSOSE01

preparedness and Chemicals Handling WICHEM01
response Dangerous Goods Handling WIFFDG01
Occupational Health & Safety WISAFE01
Radioactive Substance Handling WIFRAS01
4.5 Checking Corrective Action CP001401
Internal Quality Audits CP001701
4.5.1 Monitoring & Corporate Manual QM000004
measurement
Environmental Aspects EP040301
4.5.2 Evaluation of Legal & Other Requirements EP040302
compliance
Indirect Aspect Control EP040406
Appendix For Environmental Environmental
Objectives / Targets QO_
Appendix
Environmental Management WIENVI01
4.5.3 Nonconformity, Corrective Action CP001401
corrective action and
preventive action
4.5.4 Control of Records Quality Record CP001601
4.5.5 Internal audit Internal Quality Audits CP001701
4.6 Management review Management review CP000131
Ref. No. - QM000004 Page: 44 of 68

ISO27001:2005 Santa Fe Procedures Ref. No.

4.1 General Requirements Corporate Manual QM000004
4.2 Establishing and Corporate Manual QM000004

Managing MS Risk Management CPRKMT01
4.3 Documentation Corporate Manual QM000004

Requirements Information classification, labeling CPICAH01
and Handling
Documents Control CP00501
Quality Record CP001601
5.1 Management Corporate Manual QM000004

Commitment
5.2 Resource Management Corporate Manual QM000004
Management Responsibility CP000101
Training CP001801
Human Resource Security CPHRSS01
6 Internal MS audits Corporate Manual QM000004

Technical Vulnerability Assessment CPTVAS01
7.1 General Corporate Manual QM000004

Management review CP000131
7.2 Review Input Corporate Manual QM000004

7.3 Review Output Corporate Manual QM000004

8.1 Continual Improvement Corporate Manual QM000004

Corrective Action CP001401
8.2 Corrective Action Corporate Manual QM000004

8.3 Preventive Action Corporate Manual QM000004

Ref. No. - QM000004 Page: 45 of 68
A.5 Security Policy Corporate Manual QM000004
A.6 Organization of Corporate Manual QM000004

Information Security Management Responsibility CP000101
Third Party Risk Assessment CPTPRA01
A.7 Asset Management Corporate Manual QM000004

Asset Management CPASMT01
Configuration Management CPCFMT01
Information Classification, Labeling CPICAH01
and Handling
A.8 Human Resources Corporate Manual QM000004

Security Training CP001801
Human Resource Security - Casual CPHRCL01
Labor & Temp Staff
A.9 Physical and Corporate Manual QM000004

Environmental Security Process Control CP000901
A.10 Communications and Corporate Manual QM000004

Operation Management Backup Management CPBUMT01
Capacity Management CPCPMT01
Change Management CPCHMT01
Desktop Management CPDTMT01
Information Exchange CPIEXC01
Network Management CPNWMT01
Server Management CPSVMT01
Purchasing CP000601
A.11 Access Control Corporate Manual QM000004

Access Control CPACTL01
A.12 Information Systems Corporate Manual QM000004

Acquisition, Development Information Systems Development CPISDM01
and Maintenance and Maintenance
Ref. No. - QM000004 Page: 46 of 68

Cryptographic Management CPCGMT01
A.13 Information Security Corporate Manual QM000004

Incident Management Information Security Incident CPIIMT01
Management
A.14 Business Continuity Corporate Manual QM000004

Management Business Continuity Management CPBCMT01
A.15 Compliance Corporate Manual QM000004

Ref. No. - QM000004 Page: 47 of 68

ISMS Policy
1. SECURITY POLICY
1.1 SANTA FE’s management shall establish information security policy for
the “Protection of customer data and property for relocation services and
record management services”.
1.2 The ISMS policies shall align with the Company’s policy and business
requirements; comply with the legislative requirements; and make
reference with the international standards and industry best practices.
1.3 Principles of Information Security: Integrity, Availability, Confidentiality
and Authentication shall be observed and built into the information
security management system, related policies, procedures and
instructions.
1.4 All policies shall be reviewed and approved by MD. The approved
polices have to be released, published and communication to all related
stakeholders.
1.5 In order to ensure the suitability, adequacy and effectiveness of the
policies, all policies and procedures shall be reviewed by Information
Security Steering Committee at least annually or subject to major
changes in business requirements, legislative requirements,
infrastructure, application, organizational structure and key staff.
2. ORGANIZATION OF INFORMATION SECURITY
2.1 INTERNAL ORGANIZATION
2.1.1 Management shall actively commit and support information

security through setting strategic direction and goals, assigning
roles, responsibilities, and accountabilities; allocating sufficient
resources and continually reviewing, approving and improving the
information security polices within SANTA FE.
2.1.2 SF Group Information Security Steering Committee and Working
Team are established. MD appoints “Information Security
Manager (ISM)”, who is fully responsible for all related
information security activities and initiatives. S(he) also appoints
a Deputy Information Security Manager, to assist ISM in
formulation and execution of the information security related
activities.
2.1.3 Jobs Description including roles, responsibilities, and required
competency levels shall be defined for each staff. Jobs
Ref. No. - QM000004 Page: 48 of 68

Description shall be reviewed by respective Department Heads

and approved by Divisional Heads, Department Heads or MD.
2.1.4 All new critical information processing facilities shall be

approved by authorized personnel according to the defined
authorization matrix. This policy shall follow the Company’s
Purchasing Company Procedure. The risk of all critical new
information processing facilities shall be identified and evaluated.
Unless this is a sole supplier or proprietary service or subject to
the approval of Managing Director , at least three suppliers for the
new information processing facility services shall be obtained for
comparison and evaluation.
2.1.5 Requirements and needs for confidentiality or non-disclosure for
information protection shall be defined, reviewed at least annually
and approved by authorized personnel. If necessary, legal advice
may be sought.
2.1.6 Contact for relevant authorities, interested groups, System
Administrator related forums or associations shall be identified
and maintained a List of Contact. Wherever there is any news
that may affect the information security within SANTA FE,
Information Security Steering Committee shall review and
evaluate the incurred impact and risk. Risk assessment and
evaluation shall be conducted prior to deployment.
2.1.7 Independent review of SANTA FE’s approach to managing
information security and effectiveness of implementation shall be
conducted at least once a year or when major change is occurred.
2.2 EXTERNAL PARTIES
2.2.1 Risk to SANTA FE’s information and information processing

facilities for external parties shall be identified. Access shall be
granted by authorized SANTA FE’s personnel. Appropriate
controls shall be adopted to protect the information leakage.
2.2.2 Security requirements including accessing, processing,
communicating, managing and changing information
classification level and information processing facilities shall be
defined in related documents or agreement. Such requirements
shall be addressed to all related stakeholders. The policies shall
be reviewed at least annually or when major change is occurred.
Ref. No. - QM000004 Page: 49 of 68

3. ASSET MANAGEMENT
3.1 All assets including hardware, software, application, information,

documentation, people and infrastructure shall be identified, maintained
and recorded on Asset Inventory List. Owner shall be identified, who
should have the responsibilities for controlling, management,
maintenance, granting the access right and determining the security of the
asset. The custodian of the asset may be appointed to provide the daily
monitoring of the asset. Policy for acceptance use of the information and
asset associated with information processing facilities shall be established,
documented and implemented. Polices shall be reviewed at least once a
year or when major change is introduced.
3.2 Information classification guidelines shall be established according to the

sensitivity, importance, value, and legislative requirements of the
information. Currently, SANTA FE has classified the information into
four levels.
3.2.1 SECRET: Unauthorized disclosure could cause serious damage
and violation of legal obligation between customer and SANTA
FE; mis-handling of customer property and sensitive
information leading to breach of contract; could cause serious
damage to SANTA FE
3.2.2 CONFIDENTIAL: Confidential information is defined as
information that only authorized internal SANTA FE’s staff or
specific authorized external entities can access. Disclosure, use,
or destruction of confidential information could have medium
damage to SANTA FE.
3.2.3 RESTRICTED: Restricted information is defined as information
that sensitive to public but generally available to Santa Fe
employees and approved non-employees. Disclosure, use, or
destruction of Restricted information will have limited adverse
damage to Santa Fe & customer.
3.2.4 PUBLIC: Public information is defined as information that any
entity either internal or external to SANTA FE can access.
Disclosure, use, or destruction of Public information will have
no adverse damage on SANTA FE or the customer, and carry
no liability.
3.3 Information labeling and handling for different classification types of

information shall be developed and implemented to ensure that the
confidentiality, integrity, availability and value of the information are
protected.
Ref. No. - QM000004 Page: 50 of 68
3.4 This shall include the labeling and handling methods for processing,
storage protection, and transmission internally and externally and
disposal.
3.5 All printed hardcopy, manual and softcopy and data shall apply to the
same principle. Record of disposal of information shall be maintained.
4. HUMAN RESOURCES SECURITY
4.1 RECRUITMENT AND PRIOR TO EMPLOYMENT
4.1.1 Security roles and responsibilities of employees, contractors and

third party users shall be defined and documented by means of
Jobs Description, Access Right Control, procedures, contract or
other written means.
4.1.2 Background verification checks on employees, contractors and
third party users shall be performed in accordance with the
legislative requirements, code of ethics, business requirements,
sensitive information access and perceived risks.
4.1.3 All employees, contractors and third party users shall agree and
sign the Terms and Conditions either in employment contract,
business contract or code of ethics or Employee Handbook as
obligation.
4.2 TRAINING
4.2.1 SANTA FE shall provide information security awareness

training, education and related training to the employees,
contractors and third party users. Any changes or updates shall
be communicated to related parties. Training record shall be
maintained. Management shall be responsible to promote the
importance of the security to all related stakeholders.
4.3 TERMINATION
4.3.1 SANTA FE has established disciplinary policy to all those who

have committed security breach. Management shall base on the
criticality to determine whether warning letter is issued to the
employees or terminated the employment in accordance with the
legislative requirements.
4.3.2 Management shall take the responsibilities to identify the needs
of the termination of employment or change of roles and
responsibilities for the employees according to the legislative
Ref. No. - QM000004 Page: 51 of 68

requirements, security and business requirements. Respective

Department Heads should take the required action.
4.3.3 SANTA FE shall maintain List of Asset and Access Right held
by each employee, contractors and third party users.
4.3.4 All employees, contractors and third party users shall return all
company assets after termination of the employment or change
of roles. Access right shall be removed immediately after they
leave SANTA FE or effective change of roles and
responsibilities.
5. PHYSICAL AND ENVIRONMENTAL SECURITY
5.1 PHYSICAL AND ENVIRONMENTAL DESIGN
5.1.1 Physical access control shall be applied to all offices, facilities

and server rooms. Security perimeters and wall, access control
system, CCTV, manned reception shall be applied to protect
unauthorized access to information processing facilities. All
doors and windows shall be locked. Security access key of
SANTA FE office must be updated quarterly, or whenever there is
a need.
5.1.2 An authorized access list must be maintained that lists those
personnel authorized to enter the restricted area. All visitors must
sign in and out, obtain a visitor sticker, and be escorted. Visitor
logs shall be reviewed monthly to identify any invalid access.
Visitor log shall be retained.
5.1.3 All offices, facilities and server rooms shall be designed in secure
means or through other compensation controls that can protect the
working environment against environmental factors including fire,
flooding, explosion, natural disaster and water leakage. The
required local legislative requirements shall be met and the
approved licenses shall be obtained, renewed, stored and hosted
properly.
5.1.4 Access points that may enter the SANTA FE’s premises by
unauthorized persons shall be controlled through separation of
different zones for reception, loading, delivery and maintenance.
If the physical location can be allocated, escort from SANTA
FE’s authorized staff shall accompany with them or assign them
temporary access card if necessary after proper identification,
authentication and authorization process. Exception is not
recommended. If deem needed, seek location-in-charge’s
approval (refer to Summary – Classification of “ Persons working
on behalf of the organization”).
Ref. No. - QM000004 Page: 52 of 68
5.2 EQUIPMENT CONTROL
5.2.1 Equipment shall be sited and protected to reduce the risks from
environmental hazards, threats and opportunities for
unauthorized access.
5.2.2. Unless, the risk is accepted and agreed by management, all
equipment shall be protected from power failures and
disruptions either through UPS, electricity generators or other
suitable means. Power and telecommunication cable shall be
protected from interception or damage through conduits, raised
floor or other suitable protective means.
5.2.3 Equipment shall be installed and used as per the manufacturer
instruction and local legislative requirements. Preventive
maintenance of equipment shall be conducted either by SANTA
FE or approved contractors. Record for preventive maintenance
shall be maintained. If some equipment according to the
business nature is required to conduct regular alignment and
calibration, calibration methods shall be traceable to the
manufacturer instructions, national and international standards.
Calibration record shall be maintained.
5.2.4 Equipment located outside SANTA FE’s premises shall be
protected and approved prior to execution. Security control
methods should be the same as located in SANTA FE unless
management approves the security control methodology.
5.2.5 Equipment, information and software shall not be taken off-site
unless this is approved and authorized by the management.
Move-in and move-out records shall be maintained, traceable
and auditable.
5.2.6 All items of equipment containing storage media shall be
checked to ensure sensitive information and licensed software
has been removed or securely rewritten / reformatted prior to
disposal. This shall be done by SANTA FE or via approved
contactors. Disposal shall be approved by management prior to
execution. Disposal records shall be maintained.
Ref. No. - QM000004 Page: 53 of 68

6. COMMUNICATIONS AND OPERATIONS MANAGEMENT
6.1 DOCUMENTATION
6.1.1 Operating procedures, instructions and manuals shall be

defined, documented and reviewed at least annually or when
major change is introduced. Approved operating
documentation shall be communicated to all related staff.
Information Classification, Labeling and Handling Company
Procedure; Document Control Company Procedure shall be
followed for all releases of operating documentation.
6.2 CHANGE MANAGEMENT
6.1.2 Changes to information processing facilities and systems shall

be controlled. All changes shall be approved prior to
deployment unless this is an emergency change that should
obtain verbal confirmation by management before execution of
change. Configuration database shall be updated accordingly.
Change records shall be traceable and auditable.
6.3 SEGREGATION
6.3.1 Segregation of duties including pair review, approval or job

rotation shall be applied to handling critical and sensitive
information to reduce the risk for unauthorized or unintentional
modification or mis-use of the assets. The corresponding duties
and responsibilities shall be defined.
6.3.2 In case, no valid control can be applied due to the business
nature or economy of scale, background check prior to
employment or during employment, clear roles and
responsibilities, Confidentiality Agreement and Disciplinary
Policy shall be taken, communicated, signed and agreed by both
parties.
6.3.3 Development, test and production facilities shall be physically
separated to reduce the risks of unauthorized access or changes
to the production system.
6.3.4 In case, this cannot be executed due to the existing resource
constraints, at least these three platforms shall be logically
separated. Risk assessment shall be conducted and Fallback
procedures shall be established. Risk Assessment Report and
Fallback procedures shall be approved by authorized personnel.
Ref. No. - QM000004 Page: 54 of 68

6.4 THIRD PARTY CONTROL
6.4.1 Requirements for third party service shall be clearly defined,

implemented, operated and maintained. This shall at least
include security control, service definitions, service level and
service penalty.
6.4.2 Monitoring, review and audit of third party service providers
shall be conducted at planned intervals, at least annually.
6.4.3 In case, the service performance cannot meet the stated target,
SANTA FE shall request the third party service providers for
improvement and corrective action.
6.4.4 Any change to third party services shall be defined, documented

and approved by both parties. Risk assessment shall be
conducted prior to execution.
6.4.5 Intentional misuse resulting in a breach of any part of the
information security policy and contractual obligations will
result in business action including penalty or termination of
contract and service at the discretion of SANTA FE’s
management.
6.5 CAPACITY MANAGEMENT
6.5.1 Capacity management for resources including infrastructure,

equipment, facility, application, storage, telecommunication
bandwidth and manpower shall be projected, planned,
monitored and adjusted according to the business needs and
performance. Capacity Plan shall be aligned with the business
requirements and strategies.
6.5.2 Acceptance criteria for new information systems, new versions
or upgrades shall be established and tested prior to acceptance.
Acceptance criteria and acceptance test record shall be
maintained. Asset inventory, configuration database, change
management policy and release policy shall be followed.
6.6 CONTROL OF MALICIOUS AND MOBILE CODE
6.6.1 Detective, corrective and preventive control including anti-virus

and anti-spam, firewall, intrusion detection system or intrusion
prevention system should be implemented to protect against
malicious codes and invalid attempt. Audit Log shall be
maintained and reviewed regularly to identify any invalid
attack. User awareness and desktop policy shall be established
and communicated to all staff.
Ref. No. - QM000004 Page: 55 of 68
6.6.2 All SANTA FE computers and servers shall install anti-virus

software. In addition, the anti-virus software and its definition
shall be kept up-to-date. Virus-infected computers and servers
must be isolated from the network until they are verified as
virus-free.
6.6.3 System Administrator is responsible for creating procedures to
ensure the anti-virus programs has been installed in all
computers and servers and the anti-virus software is run at
regular intervals, and computers are verified as virus-free. Any
activities with the intention to create or distribute malicious
programs into SANTA FE's networks are prohibited, in
accordance with the end user acceptable policy.
6.6.4 In case, the use of mobile code is authorized, the mobile code
shall be authorized according to the security policy and
unauthorized mobile code shall be prevented from execution.
6.7 BACKUP
6.7.1 Backup copies of information and software shall be performed

according to the backup schedule. Backup Schedule shall make
reference and align with the stated Recovery Time Objective
and Recovery Point Objective that shall be approved by
authorized personnel.
6.7.2 Backup shall be tested its restorability at planned intervals. One

backup copy shall be kept in remote location or off-site for
business continuity purpose. Backup shall be handled and
labeled according to the Information Classification, Labeling
and Handling Company Procedure.
6.7.3 Desktop and end user acceptance policy for use, handling,
storage and disposal of removable media shall be defined,
implemented and communicated to all staff.
6.7.4 Media shall be disposed in secure and safe means either
physically damaged, reformatted according to the industrial
standards, shredding or other suitable means.
6.7.5 System documentation shall be protected against unauthorized
access.
6.8 INFORMATION EXCHANGE
6.8.1 Formal exchange policies and controls shall be in place to

protect the information exchange through telecommunication
facilities. Exchange agreements for information and software
Ref. No. - QM000004 Page: 56 of 68
including secure exchange methods and standards shall be

defined, agreed and signed by both parties.
6.8.2 Information in electronic messaging shall be protected
according to the Information Classification, Labeling and
Handling Company Procedure. Encryption and authentication
methods shall be adopted appropriately.
6.8.3 Physical media during transit shall be protected against
unauthorized access, mis-use or corruption. Required methods
shall follow the Information Classification, Labeling and
Handling Company Procedure.
6.8.4 Policies shall be developed to protect information associated
with interconnection of business information systems.
6.9 ELECTRONIC COMMERCE SERVICES
6.9.1 Electronic commerce is defined as electronic transmission such

as on-line transaction and storage of critical information.
Integrity and availability of electronic commerce services
through publicly available system shall be maintained.
6.9.2 Unauthorized access, unauthorized modification and
unauthorized message duplication of electronic commerce
should be protected.
6.9.3 For any remote administration of electronic commerce system
and its application, secure and encrypted communication
mechanism must be adopted.
6.9.4 Information involved in electronic commerce passing over
public networks shall be protected from fraudulent activity,
contract dispute, unauthorized disclosure and modification.
6.9.5 Electronic commerce site must have mechanisms to ensure
information transmitted and stored electronically is protected
from unauthorized access; and shall comply with data protection
legislation
6.9.6 Information shall be protected to prevent incomplete
transmission, miss-routing, unauthorized message alternation,
unauthorized disclosure, unauthorized message duplication or
replay by encryption and authentication.
6.9.7 Integrity of public available information shall be checked and
protected from unauthorized modification. Penetration test and
technical vulnerability assessment shall be conducted at least
annually to test whether there are any loopholes and areas for
improvement. A firewall, intrusion detection system or intrusion
prevention system may be used on the electronic commerce
networks. Rules of such devices shall be reviewed regularly, at
Ref. No. - QM000004 Page: 57 of 68

least quarterly and logs shall be turned on and reviewed

regularly, at least monthly.
6.9.8 Secure, encrypted communications must be used for remote
administration of electronic commerce systems and applications.
6.10 MONITORING
6.10.1 Security features, service levels and management requirements

of all network services shall be identified and included in
service agreements if it is outsourced or shall be documented in
related policies, procedures and instructions.
6.10.2 The number of protocols that may be used to establish link and
connectivity are restricted or approved by authorized personnel.
Any attempt to change connectivity by new protocols or new
physical or logical links shall be reviewed by Information
Security Manager.
6.10.3 Activities for audit, fault, incident, administrator, operator,
firewall, intrusion detection system, intrusion prevention system
and access control shall be logged, monitored daily and
analyzed at least monthly to identify any invalid activities.
Relevant actions shall be taken accordingly. All logs shall be
protected in suitable means.
6.10.4 Procedures for monitoring use of information processing
facilities shall be established and reviewed at planned intervals,
at least once a year.
6.10.5 Time for all information processing systems shall be
synchronized with accurate time source. Time synchronization
shall be conducted regularly and the records shall be
maintained.
6.11 WIRELESS NETWORK
6.11.1 Wireless network should be installed, supported and maintained

by System Administrator or approved supplier.
6.11.2 Use approved authentication protocols and infrastructure,
encryption protocols. Wireless access point shall required user
authentication at the access point before granting access to Santa
Fe’s network.
6.11.3 Use approved encryption protocols, wireless passwords and data
must be encrypted.
6.11.4 Maintain hardware address (MAC address) of wireless access
point that can register and be tracked.
Ref. No. - QM000004 Page: 58 of 68

6.11.5 Physical security should be considered when planning the

location of wireless access point and other wireless network
components.
6.11.6 All existing wireless access points must conform to
recommended specifications.
6.11.7 All access points must follow the standard configuration settings
for wireless access points.
6.12 MOBILE DATA INTERCHANGE VIA GPRS NETWORK
6.12.1 Wireless network should be installed, supported and maintained

by System Administrator or approved supplier.
6.12.2 Use approved Internet Service Provider (ISP) and infrastructure
as in the file SF_network_RSSQL_20090611_02.pdf to
configure the RsMobile GPRS data connection.
6.12.3 Use approved encryption protocols, wireless passwords and data
are encrypted by the ISP.
6.12.4 Physical Security is protected by the network FIREWALL
between the Internet and RsMobile Communication Server.
6.12.5 RsMobile Access can be tracked by the FIREWALL and
RsMobile Login ID in RSSQL.
7. ACCESS CONTROL
7.1 ACCESS CONTROL
7.1.1 Access control policy for user, network (fixed & wireless),
operating system, application and information system, mobile
computing and teleworking, administrator, root, third party
contractor and customers shall be established, documented and
reviewed at least twice a year, based on the business and
security requirements.
7.1.2 Formal user registration and de-registration procedure shall be
defined and documented for granting and revoking access to all
information systems and services. Users shall have unique
identity.
7.1.3 User access shall only be granted, based on “Need-to-Know”
basis, which shall be approved by authorized personnel.
7.1.4 Privilege account shall be restricted, controlled and approved by
authorized personnel. Acceptance use policy shall be
communicated and agreed before use. Privilege account shall
have a unique password and shall be reviewed at least twice a
year.
Ref. No. - QM000004 Page: 59 of 68
7.2 USER PASSWORD MANAGEMENT
7.2.1. User password policy shall be defined and communicated to all

staff. Password policy shall at least cover password length and
combination, choice of password, validity period, password
resetting and renewing.
7.2.2. User identity and password shall be restricted after three failed
connection attempts. All system level passwords and user level
password shall be changed at least six months and three months
respectively. Notify user with passwords in a separate email or
other forms of communication.
7.2.3 The community strings must be defined as something other than
the standard defaults and must be different from the passwords
used to log in interactively. A keyed hash must be used where
available.
7.3 USER RESPONSIBILITIES
7.3.1 Unattended equipment shall be protected through key

protection, log off, storage in protective container or cabinet or
other suitable means. Inactive sessions should be session time-
out or shut down after a defined period of inactivity.
7.3.2 Use of system utilities and programs shall be approved by

authorized personnel prior to use. The system utilities shall be
controlled and handled as per the Information Classification,
Labeling and Handling Company Procedure.
7.3.3 Clear desk and screen policy for papers, removable storage
media and information processing facilities shall be established
and communicated to all staff. This shall be done via system
policy. If this is not allowed in some information processing
facilities, they shall be logged off, switched off the power,
locked or other suitable means to protect unauthorized access.
7.4 OPERATING SYSTEM, APPLICATION AND INFORMATION

ACCESS CONTROL
7.4.1 Authentication and authorization shall be adopted to control the

access. SSL or VPN shall be adopted for remote access.
7.4.2 Physical and logical access to diagnostic and configuration
ports, sensitive application and information system shall be
controlled.
Ref. No. - QM000004 Page: 60 of 68

7.5 MOBILE COMPUTING AND TELEWORKING
7.5.1 Policy for using teleworking, mobile computing and

communication shall be defined and established. The control
should be the same as the one used in wired environment. Risk
Assessment on using teleworking, mobile computing and
communication shall be performed to identify any vulnerability.
7.5.2 Network shall be segmented according to different groups of
information services, users, information systems and customers
to minimize the security risk. Resilience concept shall be
applied where appropriate. Routing control shall be
implemented for network to assure that the computer
connections and information flows do not breach the access
control policy, business information and contractual
obligations.
8. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND

MAINTENANCE
8.1 APPLICATION SECURITY AND PROCESSING

REQUIREMENTS
8.1.1 Security, authentication and message integrity requirements

shall be defined in the application specification, which has to be
reviewed and approved by the application owner. Methodology
for software development shall be deployed.
8.1.2 In order to prevent error, loss, correctness, unauthorized
modification or mis-use of information, data input and output
data shall be validated. Validation check shall be designed in
the application to detect any corruption or invalid logic of
information, counting and decision rules through processing
error.
8.2 CRYPTOGRAPHIC CONTROL
8.2.1 Policy of cryptographic control and key management shall be

defined. Key management shall at least cover the key generation,
distribution, storage, renewal and disposal. SANTA FE’s key
length requirements shall be reviewed annually and upgraded as
technology allows.
Ref. No. - QM000004 Page: 61 of 68

8.3 SECURITY IN DEVELOPMENT AND SUPPORTING PROCESS
8.3.1 Procedure for installation of software on operational systems

shall be defined and established. Software shall be tested prior to
deployment. System test data shall be selected according to the
requirements, protected and controlled. All data containing
personal and company privacy shall be sanitized before use.
Test data shall be removed from testing platform after use.
8.3.2 Access control to program source code shall be restricted to
authorized staff. Segregation of duties shall be adopted when
migration between different platforms. Check in and check out
procedure shall be in place and record shall be maintained.
8.3.3 Normal change or emergency change shall follow the Change
Management Company Procedure. Configuration items shall be
updated accordingly. Technical review or risk assessment of
application after operating system changes shall be performed to
review and test whether any adverse impact is identified.
8.3.4 Outsourced software can be controlled and monitored. Security,

authentication and message integrity requirements, respective
responsibilities shall be defined. Project Plan shall be developed
to control and monitor the activities. User Acceptance Test shall
be prepared and executed. User Acceptance Test record shall be
maintained. Any changes shall follow the Change Management
Company Procedure. Configuration items shall be updated
accordingly.
8.4 TECHNICAL VULNERABILITY ASSESSMENT
8.4.1. Channel for obtaining technical vulnerabilities shall be identified.

Vulnerability information shall be analyzed and evaluated.
Relevant action shall be taken to contain and eradicate the
weaknesses.
9. INFORMATION SECURITY INCIDENT MANAGEMENT
9.1 Information security incidents shall be reported through proper channels.

The channels shall be communicated to all related stakeholders, who
have the responsibility to report the suspected or observed security
incident and vulnerability.
9.2 Information Security Incident Management Company Procedure
including responsibility, reporting channel, severity level, escalation
Ref. No. - QM000004 Page: 62 of 68
procedure, collection of evidence shall be defined and implemented.

Activities for containment, eradication, recovery phases shall be logged
that can be auditable and traceable. Control of collection of evidence
shall include the collection of the chain of custody and evidence,
handling, storage and preservation of seizure.
9.3 It is the responsibility of the SANTA FE’s Information Security Manager
to coordinate communications with entities outside SANTA FE (such as
law enforcement agencies) about a suspected or confirmed information
security incident on any SANTA FE system or premise and to coordinate
communications in response to external inquiries about such incidents
9.4 Mechanism for types, volumes and cost of information security incidents
shall be established to quantity and monitor the information security
incident. Lessons learnt on the information security incident shall be
conducted through experience sharing, meeting, training, and change of
operating procedures or other appropriate means.
10. BUSINESS CONTINUITY MANAGEMENT
10.1 Business Continuity Framework shall be established, implemented and

maintained at planned intervals.
10.2 Business Impact Analysis shall be conducted to identify the critical
business processes for recovery, which have to be conducted at least once
a year or when major change is introduced.
10.3 Disaster definition, responsibilities for disaster declaration, recovery time
objective and recovery point objective shall be defined. Procedures for
business and disaster recovery, command centre, emergency response
operation, business resumption, and damage assessment shall be defined
and implemented when necessary.
10.4 Standard communication press shall be prepared for major scenarios for
better corporate image.
10.5 Training shall be provided to staff for the operation of the Business
Continuity Plan.
10.6 Drill on established Business Continuity Plan shall be performed at least
once a year. Drill Plan shall be prepared with stated objectives and
approved by authorized personnel. Drill reports shall be maintained.
Follow-up actions on drill result shall be implemented to enhance the
Business Continuity Pan.
10.7 Business Continuity Plan shall be reviewed at least annually or when
major change is introduced. Business Continuity Plan shall be updated
accordingly and approved by MD. The updated Business Continuity
Plan shall be communicated to all affected parties.
Ref. No. - QM000004 Page: 63 of 68

11. COMPLIANCE
11.1 List of required regulative and statutory requirements including

intellectual property rights, data protection and personal privacy,
cryptographic control, transborder, software license, copyright and
trademark for SANTA FE’s operation and contractual obligation shall be
identified and documented and kept updated by the Financial Controller.
S(he) is responsible to identify the key requirements for meeting the
regulation from Santa Fe’s perspective. The compliance of the regulation
will be reviewed during Management Review Meeting.
11.2 SANTA FE’s appointed staff is responsible to update the List and
perform risk assessment if any change is introduced to the regulative and
statutory regulations. All operations shall be complied with the
identified regulative and statutory requirements and contractual
obligations.
11.3 Critical records shall be protected from loss, destruction and falsification
as per Information Classification, Labeling and Handling Company
Procedure that shall comply with the legislative and statutory
requirements and contractual obligations.
11.4 Access of the information and information processing facilities shall be

granted on “need-to-know” basis and the job requirements. User shall be
deferred for unauthorized access. Disciplinary action or legal action can
be taken for unauthorized access of the information and information
processing facilities.
11.5 COMPLIANCE AUDIT
11.5.1 Compliance audit shall be planned and conducted at least once

a year. Compliance audit shall cover all the policies that relates
to the security and operation. Root cause of discrepancies shall
be identified; relevant actions shall be taken to correct, contain
and remove the symptoms from future recurrence. Records of
compliance audit shall be maintained.
11.5.2 Technical compliance test on information systems and operating
systems against security standards shall be planned and
conducted at least once a year. Any discrepancies shall be
identified. Risk Assessment shall be conducted to identify the
risks associated with the patch, new version and vulnerabilities.
11.5.3 Change management, patch management and configuration
management procedures shall be followed. Related
documentation and configuration shall be updated accordingly.
Records related to the technical compliance test shall be
maintained.
Ref. No. - QM000004 Page: 64 of 68
11.5.4 Access to information systems audit tools shall be protected to

prevent mis-use or compromise. The required protection shall
follow the Information Classification, Labeling and Handling
Company Procedure.
11.6 SANTA FE RELOCATION SERVICES PRIVACY POLICY

VERSION 3
(Updated 01 March 2009)
This privacy policy covers all Companies owned, or majority owned by

Santa Fe Relocation Services, and all companies operating in that name
owned in part by Santa Fe Transport International Ltd
Our Commitment To Privacy
Your privacy is important to us. To better protect your privacy, we provide

this notice explaining our online information practices and the choices you
can make about the way your information is collected and used. To make this
notice easy to find, we make it available on our homepage. This policy
supplements other materials you may have received or will receive from Santa
Fe.
Cookies
A cookie is a piece of data stored on the user’s hard drive containing
information about the user. Usage of a cookie is in no way linked to any
personally identifiable information while on our site. We use cookies to keep
track of session ID numbers when a user logs into their account. This allows
the system to simultaneously keep track of multiple login sessions. Once the
user logs out and closes their browser, the cookie expires. If a user rejects the
cookie, they may still use all areas of our site with the exception of account
login.
If the storage of a cookie on your hard drive concerns you, a number of

commercially available products can assist you to delete this. Please see your
IT department for assistance.
What Information Is Collected?
As a customer of Santa Fe, you will at times be requested to supply your

Relocation Consultant with personal information that allows him or her to
better service you. At times, this information is legally required and will
differ by country (for instance in Immigration Services, requests will often
Ref. No. - QM000004 Page: 65 of 68
involved passport information, education background, resume details, copies

of certificates and diplomas, family information, criminal conviction
information, etc).
Where you decide not to supply requested information to Santa Fe, we will
make reasonable attempt to complete the services requested where possible,
and where authorized by your company, however please be aware that the
impact could be as below:
Immigration: Failure to supply legally required information may mean that it

is not possible for Santa Fe to process you immigration, or the application
may be declined by the government authorities if it does not meet the required
minimum application criteria. Having a visa declined may impact on your
ability to apply for visa’s in the future in that country and others.
Orientation and Home Search services: It is not legally required to provide

any information, but providing this will assist your Relocation Consultant to
provide you and your company with the most efficient service possible. You
are under no obligation to answer any questions, however, failing to do so
may impact on the ability of our staff to assist you, and may result in
additional costs for your company.
Household Goods Moving Services: Failure to supply legally required

information may result in delays or costs associated with customs and border
security.
For any information supplied that is used for immigration or household goods
moving, the intentional supply of false information may lead to criminal
prosecution of the individual and/or their company by the related government
authorities.
The Way We Use Information

We use the information you provide about yourself when placing an order or
requesting a service only to complete that order and avoid collecting that
information during subsequent services within a reasonable time frame. We
do not share this information with outside parties unless it is necessary to do
so as part of an authorized service delivered to you.
Ref. No. - QM000004 Page: 66 of 68

We use return e-mail addresses to answer the e-mail we receive. Such

addresses are not used for any other purpose and are not shared with outside
parties.
Your employer may require our staff to copy them on any replies to you. If
you do not wish for this to happen on any particular email, you are requested
to state this in the subject line of that email.
We use non-identifying and aggregate information to better design our web

site, diagnose problems with our Web server, and administer our web site. For
example, we may gather information telling us that X number of individuals
visited a certain area on our web site, or that Y number of men and Z number
of women filled out our registration form.
Finally, we never use or share the personally identifiable information

provided to us online in ways unrelated to the ones described above.
Our Commitment To Data Security

To prevent unauthorized access, maintain data accuracy, and ensure the
correct use of information, we have put in place appropriate physical,
electronic, and managerial procedures to safeguard and secure the information
we collect online. We are proudly ISO27001 (Data Security) certified in all of
our large offices, and continue to roll out this certification to all Santa Fe
offices. Training of our staff in Data Security processes is an important part
of this certification.
ISO27001 allows for different levels of security. All information of a

personal nature collected from you that could identify you in any way is
classified as ‘Restricted’. The Server that information is held, as well as the
access security, meets the strictest criteria in terms of remote and physical
access and are regularly reassessed in light of new developments. Only
authorized persons within Santa Fe or your organization will have access to
your data.
Our Commitment To Children's Privacy

Protecting the privacy of the very young is especially important. For that
reason, we never collect or maintain information on our web site from those
we actually know are under the age of 13, and no part of our web site is
structured to attract anyone under the age of 13. Please note that we may be
required to collect and keep detailed information from those under the age of
13 for the purposes of providing immigration services only.
Ref. No. - QM000004 Page: 67 of 68

How To Correct or Update Your Information

You can correct factual errors in and update your personally identifiable
information by sending us a request that credibly shows errors or includes the
updated information to Santa Fe Relocation Services, ,18/F, C.C. Wu
Building, 302-8 Hennessy Road, Wanchai, Hong Kong, Attention: Relocation
Services Privacy Coordinator. You may also do so by contacting your
allocated Relocation Consultant.
To protect your privacy and security, we will also take reasonable steps to
verify your identity before granting access or making corrections.
Third-Party Sites
To better serve you, we often provide links to other web sites that may be of
interest to you. We have no control over and are not responsible for the
content or the operators of such sites. Therefore, this privacy policy will not
apply to information you may provide on such sites. You should contact the
operators of any web site if you are concerned about the privacy of the
information that may be collected when you use the site.
Updating Our Privacy Policy

Due to changing circumstances and technology, it may be necessary to alter
our privacy policy from time to time. You may always obtain the most current
version of this policy at www.santaferelo.com or by requesting a copy by
sending an e-mail to privacy@santafe.com.hk
Ref. No. - QM000004 Page: 68 of 68


Checklist of ISO 22301 Mandatory Documentation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Checklist of ISO 22301 Mandatory Documentation

Uploaded by

Copyright:

Available Formats

SANTA FE CORPORATE MANUAL

Ref. No. - QM000004 Page: 1 of 68

COMPANY QUALITY POLICY

Santa Fe strives to be the market leader in the quality of the

We seek to achieve consistent quality services that meet or

We shall foster teamwork with the objective of continuously

We continuously work to control and improve our

The resulting benefits shall be shared with our customers, our

Ref. No. - QM000004 Page: 2 of 68

COMPANY ENVIRONMENTAL POLICY

Santa Fe shall continuously work to reduce, and where

We will comply with local government environmental

Through environmental education, we strive to raise awareness

We promote actively 4Rs, Reduce, Recycle, Reuse and

Ref. No. - QM000004 Page: 3 of 68

COMPANY INFORMATION SECURITY

Santa Fe strives to protect company and customer

We ensure business continuity and minimise business damage

Through information security education and training, we strive

We shall foster teamwork and continuously improve to ensure

Ref. No. - QM000004 Page: 4 of 68

COMPANY CORPORATE SOCIAL

Respect everyone, care for the environment and proper behavior

Ref. No. - QM000004 Page: 5 of 68

COPY # TITLE OF HOLDERS

HK office: Computer Server System (Server) or assigned computer /

2 UNCONTROLLED COPY HOLDERS

NAME SIGNATURE Date Control Stamp

Jason Will 01 Sept 10

Monica Sirait 01 Sept 10

Ref. No. - QM000004 Page: 6 of 68

SECTION DESCRIPTION Page

Ref. No. - QM000004 Page: 7 of 68

SECTION DESCRIPTION Page

Ref. No. - QM000004 Page: 8 of 68

SANTA FE TRANSPORT INTERNATIONAL LIMITED is a subsidiary of the

The Company is engaged in international and domestic moving service of

1.1. OUR GOALS

1.2. OUR VISION, MISSION AND VALUES

1.2.1 Our Vision:

“Deliver sustainable value through innovation.”

• We expand our geographic coverage to remain an attractive supplier of

• We envision responsible moving and relocation services with no negative

1.2.2 Our Mission:

“We make it easy.”

• We will make it easy for corporate clients to do business with us

1.2.3 Our Values:

“Quality, Efficiency , and People.”

• We will have the highest quality standards in the industry

1.3. OUR MOTTO

Quality should be present in everything we do. In the pursuit of excellence,

Ref. No. - QM000004 Page: 10 of 68

The following will help us to achieve quality and environmental management

1) We think quality and service at all times.

This is what we will always keep in mind in our daily work:

1) We are always looking for ways to improve the efficiency of our

So we place the highest priority on recruiting, training, and developing

Ref. No. - QM000004 Page: 11 of 68

The following is how we seek to achieve this:

1) We need talented, hard-working, and enterprising people.

1.4. WORKING FOR SANTA FE

Santa Fe believes in an open management style, which stimulates the individual’s

But there has to be a degree of uniformity in our procedures and systems,

Ref. No. - QM000004 Page: 12 of 68