Aspl Man 01

Integrated Management System Manual
As per ISO 9001:2015, ISO 14001:2015, ISO 45001:2018 & ISO/IEC 27001:2022
Document ID ASPL-MAN-01
Document Classification Internal
Release Date: 01-11-2023
Version: 1.0
Last Updated on: 01-11-2023
E-mail:
Address:
B1210, NX-BYTE (T3).12th FLOOR – NX ONE - TECH ZONE - 4, GREATER NOIDA (WEST) 201308
Copy No. 01 (Master Copy)
Scope: Provide Backend Development Services, Frontend Development Services, Graphics
design, Web development, E - Commerce solutions
Exclusion
No Exclusion
CISO IMS Manager (Director Sales) Director Prod.

Prepared/ Changed By Reviewed By Approved By
Revision History
Page Revision
Description of Change Prepared by
No. Number Date
00 01.11.2023 Initial Release
Addon Shareware Private Limited
IMS Manual
Reference Clause of the

Section standard
Section Descriptions Page No.
Number ISO ISO ISO ISO
9001 27001 14001 45001
1.0 Issue A A A A 7
2.0 Distribution A A A A 7
3.0 Introduction A A A A 9
3.2 Scope A A A A 9
3.3 Brief history of the company A A A A 9
4.0 Context of the organization A A A A 10
4.1 Understanding the organization and its context A A A A 10
4.2 Understanding the needs and expectations of 11

A A A A
interested parties
4.3 Determining the scope of the Integrated 11

A A A A
management system
4.4 Integrated management system A A A A 13
5.0 Leadership A A A A 13
5.1 Leadership and commitment A A A A 13
5.1.2 Customer Focus A A A A 14
5.2 Policy A A A A 14
5.2.1 Establishing the Integrated policy A A A A 15
5.2.2 Communicating the Integrated policy A A A A 15
5.3 Organizational roles, responsibilities and 15

A A A A
authorities
5.4 Consultation & Participation of worker NA NA NA A
6.0 Planning A A A A 16
MR CISO Director Prod.

Prepared By Reviewed By Approved By
Document ID: ASPL-MAN-01 Issue Date: 01.11.2023 Version No.: 1.0 Page 2 of 29
IMS Manual
6.1.1 Actions to address risks and opportunities A A A A 16
6.1.2 Environmental aspects NA NA A NA
6.1.2 Hazard identification and assessment of risks

NA NA NA A
and opportunities
6.2 Objectives of the Integrated management 16

A A A A
system and planning to achieve them
6.3 Planning of changes A NA NA NA 17
7.0 Support A A A A 17
7.1 Resources A A A A 17
7.2 Competence A A A A 18
7.3 Awareness A A A A 19
7.4 Communication A A A A 19
7.5 Documented information A A A A 20
8.0 Operation A A 22
8.1 Operational planning and control A A A A 22
8.2 Information Security and Risk Assessment NA A NA NA 24
8.3 Information Security Risk Treatment NA A NA NA 25
8.2 Requirement for Product & services A NA NA NA 23
8.2 Emergency preparedness and response NA NA A A
8.3 Design and Development of products and

NA NA NA NA
services
8.4 Control of Externally provided processes, 23

A NA NA NA
products and services
8.5 Production and service provision A NA NA NA 27
8.5.1 Control of production and service provision A NA NA NA 27
8.5.2 Identification and traceability A NA NA NA 27
8.5.3 Property belonging to customers or external A NA NA NA 28

IMS Manual
providers
8.5.4 Preservation A NA NA NA 28
8.5.5 Post-delivery activities A NA NA NA 28
8.5.6 Control of changes A NA NA NA 28
8.6 Release of products and services A NA NA NA 28
8.7 Control of nonconforming outputs A NA NA NA 29
9.0 Performance evaluation A A A A 29
9.1 Monitoring, measurement, analysis and 29

A A A A
evaluation
9.2 Internal audit A A A A 29
9.3 Management review A A A A 31
10.0 Improvement A A A A A
10.2 Nonconformity and corrective action A A A A 33
10.3 Continual Improvement A A A A 33
Here,
A= Applicable
NA= Not Applicable
Note:
This manual is prepared for the purpose of defining the company’s interpretations of the ISO
9001:2015, ISO 14001:2015, ISO 45001:2018 & ISO/IEC 27001:2022 standard, as well as to
demonstrate how the company complies with that standard.
About the IMS Manual

This manual is structured as shown in the table of contents page. The details of revision number and
revision date are indicated on each page of the manual. The master copy of the manual bears the

IMS Manual
signature of approving authorities in original. It has a “Master Copy” written on top of front page in
red. The copies issued within organization have a “Controlled Copy” written on front page in blue. This
Manual is available in English language only.
Director has nominated Management Representative (MR) for preparing, issuing, maintaining,
updating and re-issuing the manual. The distribution of the manual is done to persons where found
need of manual. MR can issue additional copies of the manual to external agencies including
customers. These copies are provided a statement as “For reference only” on cover page in Black. The
uncontrolled copies do not come under the purview of document control.
MR reviews the manual at regular intervals and necessary changes are incorporated. The details of
changes are recorded in the revision history and communicated to all the personnel holding the
controlled copies of the manual after approval from approval authority. It is the responsibility of the
copyholder to replace the revised section and return the obsolete to MR. MR maintains an obsolete
copy of the revised section. These copies are marked with a statement, “Obsolete Copy” on front page
in Red.
This IMS Manual describes the organization Information Security management & Quality management
. This manual lists down the procedures and measures for IMS. The IMS has been formulated on the
basis of ISO 9001:2015, ISO 14001:2015, ISO 45001:2018 & ISO/IEC 27001:2022.
This section explains the structure, issue and updating procedures of the IMS Manual. This Manual and
the information incorporated herein is the property of the Organization. It must not be reproduced in
whole or in part or otherwise disclosed without prior consent in writing from the Organization.
Place: Noida Director

Date: 01-11-2023
Abbreviations and Acronyms

HR Human Resource
ISO International Organization for Standardization
Qty Quantity
Rev Revision
Ser Service
Specs Specifications
Sr Senior/Serial
MR Management Representative
MRM Management Review Meeting

IMS Manual
NCR Non-Conforming Report

DOC Document
WI Work Instructions
CB Certification Body
ISMS Information security management system
IA Internal Audit
CISO Chief Information security officer
ASPL Addon Shareware Pvt. Ltd.
QMS Quality Management System
IMS Integrated Management System
EMS Environmental Management System
OHSMS Occupational Health & Safety Management System
1.0 Issue Control

1.1 Issue:
This Integrated (QMS, EMS, OHSMS & ISMS) Manual has been prepared in accordance with ISO
9001:2015, ISO 14001:2015, ISO 45001:2018 & ISO/IEC 27001:2022 standards. It outlines the Integrated
management system requirements, which the company has adopted to meet the requirements of
the standards.
The Management shall issue the Manual. It shall be controlled as per the Clause 7.5.3 of this
Manual. All authorised holders as per distribution list shall be responsible for implementation of
the QMS, EMS, OHSMS & ISMS in their respective area.
Individuals in possession of the controlled copies shall receive revision or amendments as and
when issued.
Information Security Management System may be issued outside the Organisation (if required) It
shall however not be controlled, shall not have copy no. and shall be stamped 'Uncontrolled'. No
distribution record shall be maintained.
During the internal audit the concerned clauses shall be reviewed to ensure the current practice
and effectiveness of the documents.
1.2 Distribution
This Manual shall be distributed as per the following distribution list:

IMS Manual
Copy No: Holder
1 Director
2 CISO
3 Certification Body
NOTE: Director copy shall be treated as the Master Copy
2. 0 Change History
Sr. No. Date Issue no. Remarks

IMS Manual
3.0 Introduction
3.1 Purpose:
The purpose of this QMS, EMS, OHSMS & ISMS MANUAL is to describe the system adopted by the
organisation. It has been prepared to outline how the organisation conducts its own affairs with
respect to the achievement. It is also intended to serve as a document for the organisation's own staff
and workforce for the understanding the organisation's policy and procedures.
3.2 Scope:
The QMS, EMS, OHSMS & ISMS Manual describes the way in which the system operated by the
organisation satisfied the requirement of ISO 9001:2015, ISO 14001:2015, ISO 45001:2018 &
ISO/IEC 27001:2022. The system is applicable to Addon Shareware Pvt Ltd for the scope of Provide
Provide Backend Development Services, Frontend Development Services, Graphics
design, Web development, E - Commerce solutions . All applicable formats shall be
referred at the appropriate locations of this manual. The applicable procedures and formats shall
be referred in the respective area of the statement of applicability.
3.3 Brief history of the company and About the Organization:
We Addon Shareware Pvt. Ltd. Is a India based company. Leading professional website designing, software
development company in the field of IT. Throughout the history, remained as strong, stable company. We
have evolved sound delivery models and business strategies to deliver high-quality and cost-effective
solution to our clients to meet their goals and perform better. Our commitment, customer satisfaction,
technical expertise, corporate value and transparency have made us a preferred vendor to our clients. We
Specialize in Product Development, Implementation, Consulting Services and providing IT solutions to make
your business more efficient.

IMS Manual
4.0 Context of the Organization

4.1 Understanding the organization and its context:
The organization has determined the internal and external issues pertaining to the information
security management systems and quality management systems, Environmental, occupational
health & safety, customer related, external providers and legal issues and other business issues.
Addon Shareware do identify, review and update information related to these external and
internal issues in Management Review Process (address in section 9.3).
Reference:
ASPL-IMS-4.1 Internal and External Issues
4.2 Understanding the needs and expectations of interested parties
In order to identify the issues related to the business and the information security, the interested
parties related to the various departments are identified.
The need and expectations of the interested parties are identifies pertaining to the QMS, EMS,
OHSMS & ISMS Management System related to the applicable working of the organization.
Reference:
ASPL-IMS-4.2 Need & Expectations of Interested Parties
4.3 Determining the scope of the Integrated Management System
The scope for this Information Security and Quality Management System are as applicable to
Addon Shareware is as follows:
When determining this scope, Addon Shareware have consider:
a) the external and internal issues referred in External & Internal Issues;
b) the requirements of relevant interested parties and compliance Register referred in Interested
Parties Requirements;

IMS Manual
The scope of the organization’s IMS have be available and be maintained in this section. The scope
have state the services covered, and provide justification for the requirements of the that the
organization determines is not applicable to the scope of its IMS
Product Development, Implementation, Consulting Services, IT Solutions, Graphics

Design, Web Development, and E-Commerce Solutions
Non-Applicable Clause;
Clause /
Standards Requirement Justification of non-applicability
Sub-Clause
NA NA NA NA
Place: Noida Director

Date: 01-11-2023
Once the scope is defined, all activities, services of the organization within this scope included in
the Information security, Quality, Environment, Occupational Health & Safety management
system.
4.4 Integrated Management System and its processes.
The management system requirements as per the guidelines of the standards (ISO 9001:2015, ISO
14001:2015, ISO 45001:2018 and ISO/IEC 27001:2022) is defined, developed, implemented and
maintained and continually improved as per the working of the organization.
The processes related to IMS have been identified, defined and implemented using the concept of
risk assessment, sequence and interactions.
The controls are exercised using monitoring and measurement of the performance indicators and
review of the same at defined intervals.

IMS Manual
The resources, responsibilities, authorities and evaluation criteria and the documented
information as required by these international standards and maintained and retained as per the
guidelines for the procedure for documented information.
5.0 Leadership
5.1: Leadership and commitment
The management shall demonstrate leadership and commitment with respect to the Quality and
Information Security Management System by:
(a) Taking accountability for the effectiveness of Quality and Information Security Management
System
(b) Ensuring that the Quality and information Security policy and objectives are established for which
are compatible with the context and strategic direction of the organization.
(c) The Quality and Information Security Management System and the business activities are
integrated.
(d) Process and risk base thinking are used.
(e) Ensuring the availability of the resources
(f) Effective communication of requirement of integrated management
(g) The process objectives related to IMS are achieved
(h) Engaging, directing and supporting persons to contribute to the effectiveness of the management
system and promoting improvement.
5.1.2 Customer Focus:
The management of Addon Shareware have been demonstrating the leadership and commitment
for the customer focus by ensuring that:
(1) Customer and applicable regulatory requirements are determined, understood and
consistently.
(2) The risk and opportunities that can affect the conformity of the product and services and the
ability to enhance customer satisfaction are determined and addressed.
(3) The focus on enhancing customer satisfaction is maintained.

IMS Manual
5.2 Policy:
Our Top management have established, implemented and maintained an INTEGRATED policy that:
a) is appropriate to the purpose and context of Addon Shareware;
b) provides a framework for setting and reviewing the objectives of the IMS;
c) includes a commitment to satisfy applicable Information Security requirements, quality,
environmental & occupational health & safety management System the objectives of
integrated quality management system including statutory and regulatory requirements and
mutually agreed customer requirements related to IMS;
d) addresses internal and external communication;
e) includes a commitment to continual improvement of the IMS;
f) addresses the need to ensure competencies related to Integrated Management System.
5.2.1 Establishing the Integrated policy

Top management shall establish, implement and maintain a integrated policy that
a) is appropriate to the purpose and context of the organization and supports its strategic
direction;
b) provides a framework for setting integrated objectives;
c) includes a commitment to satisfy applicable requirements;
d) includes a commitment to continual improvement of the integrated management system
5.2.2 Communicating the quality policy

The quality policy shall:
a) be available and be maintained as documented information;
b) be communicated, understood and applied within the organization;
c) be available to relevant interested parties, as appropriate
Reference
ASPL-IMS-5.2 IMS Policy
5.3 Organizational Roles, Responsibility & Authority
Addon Shareware Has structure and related Responsibilities of VIRTUAL EMPLOYEES is shown in the
Department Manuals. This structure simply shows functional relationships and responsibilities. This does
not imply relative seniority or importance of the position:

IMS Manual
The responsibility of each individual shall be given to him separately to understand his duties and the
same are detailed in the individual personal files available with the personal department: -
The authorities of each position have been defined in the process manual of different
departments.
Reference:
ASPL-IMS-5.3.2 Roles, Responsibilities & Authorities
5.4 Consultation and Participation of workers

Consultation is the process by which management and employees, or their representatives jointly
examine and discuss issues of mutual concern. Consultation is a two-way process that, involves seeking
acceptable solutions to problems through a genuine exchange of views and information.
Addon Shareware has established a mechanism, through worker representation, for consultation and
participation (involvement) of workers at all applicable levels and functions in the development,
planning, implementation, performance evaluation and actions for improvement in the OH&S
Management Systems.
Emphasising the consultation and participation of workers is intended to apply to persons carrying out
the work activities who are impacted by work activities or other factors in the organization.
Reference documents:
ASPL-IMS-5.4.1 Safety Committee Plan
ASPL-IMS-5.4.2 Safety Committee Meeting
6.0 Planning
6.1 Actions to address risk and opportunities
6.1.1 When planning the Integrated Management System, the organization shall consider the internal
and external issues as identified at section 4.1. On the basis of the internal and external issues related
to the Integrated management systems requirements the Risk and opportunities are evaluated. This
gives the assurance to:
a) Giving assurance that the Integrated Management System can achieve its intended use.
b) Enhance desirable effects.
c) Prevent or reduce undesirable effects.

IMS Manual
d) Achieve improvement
The organization shall plan to address these risk and opportunities.
The details for the Risk assessment are done as per the Risk Management procedure.
and the records are maintained for the various areas in Risk register of sheets of the concerned
departments.
Reference:
ASPL-IMS-6.1.1 Risk register_V1.0
6.1.2 Environmental aspects
Within the defined scope of the environmental management system, the organization has determined
the environmental aspects of its activities, products and services that it can control and those that it
can influence, and their associated environmental impacts, considering a life cycle perspective.
When determining environmental aspects, the organization has taken into account:
a) Change, including planned or new developments, and new or modified activities, products and
services;
b) Abnormal conditions and reasonably foreseeable emergency situations.
The organization has determined those aspects that has or can has a significant environmental
impact, i.e., significant environmental aspects, by using established criteria.
The organization has communicated its significant environmental aspects among the various levels
and functions of the organization, as appropriate.
The organization has maintained documented information of it’s:
— Environmental aspects and associated environmental impacts;
— Criteria used to determine its significant environmental aspects;
— Significant environmental aspects.
Reference:
ASPL-IMS-6.1.2 Environmental Aspect Impact Matrix

IMS Manual
ASPL-IMS-PR05 Procedure for Environmental Aspect Impact
6.1.2 Hazard identification and assessment of risks and opportunities

The organization have established, implemented and maintained a process for hazard
identification that is Ongoing and proactive by considering each and every process. Which includes
workload, work hours, victimization, harassment and bullying, routine and non-routine activities,
past relevant incidents, internal or external to the organization, including emergencies, and their
causes, potential emergency situations, actual or proposed changes in organization, changes in
knowledge of, and information about, hazards in Hazard Identification Risk Assessment.
Reference:
ASPL-IMS-6.1.3 Hazard Identification & Risk Assessment Matrix
6.2 IMS Objectives and planning to achieve them
The objectives identified for the year shall be made available in the form of “IMS Objective” The
shall be reviewed time to time and new targets will be identified as and when the same is
required.
The information security and quality objectives shall:
(1) Consistent with the information security and quality policy
(2) Measurable (if practical)
(3) Take in to account applicable information security and quality requirements and result
from the risk assessment and risk treatment.
(4) It should be communicated
(5) Be updated as appropriate
The objectives are structured as follows:
(a) The statement of the objectives
(b) Requirement of resources
(c) Responsibility
(d) Target date
(e) Evaluation criteria of the objectives
Reference:

IMS Manual
ASPL-IMS-6.2 IMS Objectives

6.3 Planning of changes
When the organization determines the need for changes to the quality management system, the
changes shall be carried out in a planned manner;
The organization Have considered:
a) the purpose of the changes and their potential consequences;
b) the integrity of the quality management system;
c) the availability of resources;
d) the allocation or reallocation of responsibilities and authorities
7.0 Support
7.1 Resources
Addon Shareware has determined and provided resources that needed for establishment,
implementation, maintenance and continual improvement of Information Security and quality
Management Systems.
Reference:
ASPL-IMS-7.1.2 List of Employees
ASPL-IMS-7.1.3.1 List of Hardware & Software
7.1.3 Infrastructure
The Addon Shareware have determined, provide and maintain the infrastructure necessary for the
operation of its process and to achieve conformity of products and services
a) buildings and associated utilities;
b) equipment, including hardware and software;

c) transportation resources;
d) information and communication technology
7.1.4 Work Environment

IMS Manual
The organization have determined, provided and maintained the resources for the establishment,
management and maintenance of the work environment necessary to achieve conformity with the
requirements of the IMS by maintaining the resources.
7.1.6 Organization Knowledge
Addon Shareware determine the knowledge necessary for the operation of its processes and to
achieve conformity of products and services as per the ref. ASPL-IMS-7.1.6 Organization Knowledge
This knowledge maintained and be made available to the extent necessary in the form of records.
When addressing changing needs and trends, our organization consider its current knowledge and
determine how to acquire or access any necessary additional knowledge and required updates as per
the Organizational knowledge
Reference:
ASPL-IMS-7.1.6 Organization Knowledge
7.2 Competence:
Addon Shareware has defined criteria for the competence level required for the various positions. The
same is available in the department process manual of the organization.
While appointing the new person for a particular post, the same is compared in terms of Education,
training or experience and skill sets as defined in the above manual.
If the enhancement of the competence is required and it is provided through training etc. the
effectiveness of the training imparted are maintained.
Reference:
ASPL-IMS-7.2.1 Competency Matrix (Required & Available)
Reference:
ASPL-IMS-7.2.2 Training Need Identification
ASPL-IMS-7.2.3 Annual Training Calendar
ASPL-IMS-7.2.4 Training Record Sheet
ASPL-IMS-7.2.5 Training Effectiveness Record

IMS Manual
7.3 Awareness
It is ensured that the people working in any area are aware of the followings:
(1)The information security and quality policy
(2)Responsibility to fulfil the requirements including benefits for the improvement in the
information security and quality management systems.
(3)The implication of not conforming to the information security and quality management
systems.
(4)Relevant Quality objectives.
7.4 Communication
Addon Shareware have been determining the need for internal and external communication
relevant to the information security management systems including:
1) On what to communicate
2) When to communicate
3) With whom to communicate
4) Who shall communicate
5) The processes by which the communication will be effective
Reference:
ASPL-IMS-7.4 Communication Matrix
7.5 Documented Information:

7.5.1 General:
The Addon Shareware integrated management system includes:
a) Documented information required by IMS; and
b) Documented information determined by Addon Shareware as being necessary for the
effectiveness of the quality management system
7.5.2: Creating and Updating

When creating and updating documented information, Addon Shareware ensures appropriate:
a) Identification and description (e.g. title, date, author, or reference number);
b) Format (e.g., language, software version, graphics) and media (e.g. paper, electronic); and
c) Review and approval for suitability and adequacy.

IMS Manual
7.5.3 Control of Documented Information
7.5.3.1 Documented information required by the integrated management system and by ISO
9001:2015, ISO 14001:2015, ISO 45001:2018 & ISO/IEC 27001:2022 are controlled to ensure:
a) Availability and suitable for use, where and when it is needed; and
b) It is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
7.5.3.2 For the control of documented information, Addon Shareware has addressed the following
activities, as applicable.
a) Distribution, access, retrieval and use;
b) Storage and preservation, including preservation of legibility;
c) Control of changes (e.g. version control); and
d) Retention and disposition.
Documented information of external origin determined by The Addon Shareware to be necessary
for the planning and operation of the quality management system is identified as appropriate and
controlled.
Documented information retained as evidence of conformity are protected from unintended
alterations.
Reference:
ASPL-IMS-7.5.1 Master List of Documented Information

ASPL-IMS-PR01 Procedure for Control of Documented Information
8 Operation
8.1 Operation Planning and control:
The planning of the processes to meet the requirement of the customer is achieved through the
various procedures and the statement of applicability.

IMS Manual
These documents describe: -

(a) Sequence of operations and sub operations required to realise the services.
(b) The control on the processes and the activity as applicable.
(c) The description of the non-applicability of the control points.
The organization has identified and planned those operations that are associated with the quality
issues consistent with its quality policy, objectives and targets, in order to ensure that they are
carried out under specified conditions, by:
 Establishing, implementing and maintaining a documented procedure as given at to control

situations where their absence could lead to deviation from the quality policy, objectives
and targets.
 Stipulating the operating criteria in the policy and process documents. Establishing,
implementing and maintaining procedures related to the identified issues of quality and
services used by the organization and communicating applicable procedures and
requirements to suppliers.
8.2 Requirement for product and services:
Client Account Management / Recruitment/ Coordination/Project Leads/shall identify and

establish communication through mails with its important and major customers on regular basis to
get feedback on regular basis on various aspects of business, including the following: Product
performance at customer’s end.
 Any additional requirement in the product quality required by the customer.
 Any suggestion the customer shall like to make for further improvement.
 Total acceptability of the product by the customer.
Similarly, Project Lead shall also keep the customer apprised for any of the changes in the
product profile, which may include:
 Project completion status
 Prototype sharing.
 Any grievances/ feedback/ complaints/ quality/ delivery status
 Any inputs required for the working point of views.
8.2.1 Customer communication

Communication with customers shall include:
a) providing information relating to products and services;
b) handling enquiries, contracts or orders, including changes;

IMS Manual
c) obtaining customer feedback relating to products and services, including customer

complaints;
d) handling or controlling customer property;
e) establishing specific requirements for contingency actions, when relevant
8.2.2 Determining the requirements for products and services
1. Any requirements received from the customers are handled by the sales team pre sales
team and Project Leads. The requirements are reviewed and finally recorded as per the
procedure for requirement management system
2. The organization identifies the services raised by the customer which can be done on
computer and delivered through the internet.
3. It shall also seek guidance on the legal and statutory aspects, wherever found necessary
from respective competent authorities.
8.2.3 Review of Requirements related to the Product and services
After receiving the customer enquiry by the organization, the same is reviewed and categorised in
the following categories:
1. After compiling the requirements, the same is recorded.
2. If it is found that the requirement received is frequent in nature and the organization has
the dedicated team for the same, the project is handed over to the dedicated team.
3. If the requirement falls in the category of new requirements, the requirement is sent to
the recruitment team for the team
4. The recruitment team will screen employees and the eligible candidates will be sent to the
client for review and taking interviews and finalization of candidate for the project work.
5. There are certain cases where the resources can be identified from the internal resources
available, the same will be identified and the work will be allocated accordingly.
8.2.4 Changes to requirements for products and services
If any requirements from the customer side is requested/ raised, the requirements will be
reviewed and if possible, will be provided/ changed accordingly.

IMS Manual
8.2 Information Security and Quality Management Risk Assessment

The procedure for Information Security and Quality Management Risk assessment has been
defined and available in the documented information which includes:
(a) Information security and QMS Risk criteria includes (1) Risk acceptance criteria (2) Criteria
for performing risk assessment
(b) Ensure that repeated information security and quality risk assessment produce consistent,
valid and comparable results.
(c) Apply the information security and quality risk assessment process to identify risk
associated with the loss of confidentiality, integrity and availability for information within
the scope of the information security management systems and identify the risk owner.
(d) Analyse the information security and quality risks: (1) assess the potential consequences
that would result if the risks identified were to materialize. (2) Assess the realistic likely
hood of the occurrence of the risk identified and determine the level of risk.
(e) Evaluate the information security and quality Risks: (1) Compare the results of risk criteria
established in the procedure for risk assessment. (2) Prioritize the analysed risk for
treatment.
Reference:
ASPL-IMS-PR04 Procedure for Risk Assessment & Treatment
8.2 Emergency Preparedness and response
The organization has established, implemented emergency preparedness plan to identify potential
emergency situations and potential accidents that can have an impact on the environment and
how it will be taken care.
The emergency preparedness and response procedure have details for preventive and instigating
the impacts of such emergency situations.
The procedure and plans are reviewed periodically and revise the same. After the occurrence of
accidents or emergency situations the meeting including supervisors, level will be called for
identification and planning of emergency preparedness.
The various types of mock drills shall be conducted in order to test the defined procedure and
plans.
References:
ASPL-IMS-PR07 Procedure for emergency preparedness & response

IMS Manual
8.3 Information Security Risk Treatment
The risk and opportunities as identified in the risk register and which are necessary to treat for
mitigation / control are done as per the procedure for Risk assessment ASPL policy and Process
Version 1.0. The detail records are available in corresponding risk and opportunities.
Reference:
ASPL-IMS-PR04 Procedure for Risk Assessment & Treatnment
8.4.1 General
The purchase section within the admin department shall ensure that product conforms to
specified requirements. The type and extent of control applied to the supplier on the purchased
product shall be dependent upon the impact of the purchased products on subsequent product
realization on the final product.
The purchase section shall evaluate and select suppliers based on their ability to supply product in
accordance with the organization’s requirement. Criteria for selection, evaluation and re-
evaluation of vendors have been established ref. no.
The Results of evaluations and any necessary actions arising from the evaluation shall be recorded
and maintained.
Reference:
ASPL-IMS-8.4.1 Supplier Evaluation Form
ASPL-IMS-8.4.2 Supplier Performance Rating
ASPL-IMS-8.4.3 Approved Supplier List
8.4.3 Purchasing Information

IMS Manual
Purchase Order (including the on-line purchase) shall clearly and accurately describe product
specifications and other terms and conditions to ensure that supplied items are in conformity with
the desired requirements as per raised requirements, including where appropriate.
 Requirements for approval of product, procedures, processes and equipment

 Requirements for qualification of personnel (if applicable)
 Quality Management System requirements (if applicable for outsourced Processes)
Before release of Purchase Order, the purchase department shall ensure that at least three
comparative quotations are available. The justification for approving the selected supplier shall be
mentioned.
8.4.2 Type and extent of control

The organization shall ensure that externally provided, product and services do not adversely
affect the organization’s ability to consistently deliver conforming products and services to it’s
customers:
(1) Inspection on arrival of product
(2) Holding payments till the performances are evaluated
(3) Performance of suppliers on Quality, Delivery and price.
8.5. Production and Service Provisions
8.5.1 Control of Production & Service Provision
The organization shall implement production and service provision under controlled conditions;
the controlled conditions are as follows:
a) The availability of documented information pertaining to the various activities as per
the requirement of the standard and the organizational specific requirements.
b) The availability and use of suitable monitoring and measuring resources i.e. Preventive
and break down, Internal audits, Management review meetings, speed and down time
of the internets. Etc.

IMS Manual
c) The suitable infrastructures are provided to get the best possible outputs from the
employees.
d) Appointment of competent personals for the requirement of the organization and the
client. The selection is performed as per the guidelines provided for the qualification,
experience and skill set.
e) The validation and the re-validation of the processes is not applicable as there is no
process in the scope of certification for which the result of the process output cannot
be verified.
f) The training and mentoring of the employees is done in order to avoid the human
errors.
g) The screening has been implemented at the various points for selection of employees
(entry level), During employment and the after termination.
8.5.2 Identification & Traceability
The employees at Addon Shareware shall be identified as follows:

(1) Employee Id (which is unique in nature)
(2) Dept/ Team
(3) Official email-id and skype-id
(4) Name of the employee
8.5.3 Property belonging to customers or external providers
The Addon Shareware Receives the following customer properties that remains in the custody of
the organization till the time of it use.
(a) Electronic devices such as PCB , mobile etc.

(b) The water dispensor
The record of input, output of the property and their status are maintained. if any property is
found defective, not performing, broken etc. the same will be communicated to the customer/
supplier and the record of this effect is maintained.
8.5.4 Preservation
The following items are there is the organization (stores/ work floor)
(1) IT stocks in the stores
(2) Computers (laptops/ desktop) and associated IT peripherals.

IMS Manual
The care is taken to maintain the status of the material is such a way which does not have
impact of the climatic and natural conditions.
The stock of material is maintained in the ERP systems.
8.5.5 Post Delivery Activities

At Addon shareware, our commitment doesn't end at delivery. We ensure ongoing success through:
Quality Assurance & Monitoring: Rigorous testing and continuous monitoring for stability.
Client Training: Comprehensive sessions for smooth solution adoption.
24/7 Support: Dedicated support for prompt issue resolution.
Performance Optimization: Regular reviews and proactive measures for efficiency.
Security Updates: Timely patches and vigilant response to threats.
Feedback & Improvement: Continuous refinement based on client feedback.
Documentation: Comprehensive guides for troubleshooting and reference.
Strategic Planning: Collaborative planning for future growth.
8.5.6 Control of Changes
Suitable methods are applied for monitoring the processes at intermediate stages. When any
deviation is observed from the specified results, corrective action is taken as appropriate to ensure
planned results. Measures of process performance includes accuracy, timeliness, dependability,
effectiveness and efficiency of personnel.
8.6 Release of Product and Services
The organization provides employee as service and the monitoring of the service of the
assigned projects are done by the clients itself. The employees appointed for the project are
also selected by the clients. The organization ensured that the infrastructure including internet
facility is provided adequately. In-case the customer is not satisfied with the selected employee;
the same will be withdrawn or changed.
The details of the services and their controls are as follows:

(1) Employee: attendance, leave management, payroll, Data security assurance,
supervision of work etc.
(2) Working Premises: suitable Working environment

IMS Manual
(3) Computer and IT peripherals: Timely maintenance to ensure that work is carried out
without interruption.
(4) Internet Facility: Speed and down time.
8.7 Control on Non-Conforming outputs
The Addon Shareware has developed a process to ensure that outputs that do not confirm to their
requirements are identified and controlled to prevent their unintended use or delivery.
9.0 Performance Evaluation

9.1 Monitoring, Measurement, analysis and evaluation
(a) The measurement and monitoring activities needed to assure conformity in the operations
performed in the organisation have been defined.
(b) The Process improvement for quality and information security management system is an
ongoing activity and may sometimes need additional measurement and monitoring activities.
The measurements are also planned and implemented while executing these improvements.
(c) In order to obtain the scope of improvement and hence the continuous improvement,
problem solving tools shall be used. compliments, warranty claims and dealer reports:
9.2. Internal Audit

9.2.1 Addon Shareware conducts internal audits at planned intervals to provide information on
whether the quality management system:
a) Conforms to: 1. Addon Shareware own requirements for its integrated management system;
2. The requirements of ISO 9001:2015, ISO 14001:2015, ISO 45001:2018 & ISO/IEC 27001:2022
b) Is effectively implemented and maintained.
9.2.2 Addon Shareware has:
a) Planned, established, implemented and maintains an audit program including the frequency,
methods, responsibilities, planning requirements and reporting, which is taken into
consideration the importance of the processes concerned, changes affecting Addon
Shareware, and the results of previous audits;
b) Defined the audit criteria and scope of each audit;
c) Selected auditors and conducts audits to ensure objectively and the impartiality of the audit
process;
d) Ensured that the results of the audits are reported to relevant management;

IMS Manual
e) Take appropriate correction and corrective actions without undue delay; and
f) Retain documented information as evidence of the implementation of the audit program and
the audit results.
Reference:
Internal audit plan – ASPL-IMS-9.2.1
Internal audit schedule – ASPL-IMS-9.2.2
Internal audit report – ASPL-IMS-9.2.3
Non conformity & corrective action report – ASPL-IMS-9.2.4
9.3 Management Review
Top Management of Addon Shareware conducts regular reviews of the IMS, approximately in
every 12 months, according to the Procedure for Management Review.
Reference:
Circular for MRM – ASPL-IMS-9.3.1
Minutes of MRM – ASPL-IMS-9.3.2
10 Improvement
10.1 General
The organization shall determine and select opportunities for improvement and implement any
necessary action to meet customer requirements and enhance customer satisfaction.
These shall include:

- Improving product and services to meet requirements as well as to address future needs
and expectations.
- Correcting, preventing or reducing undesired effects.
- Improving the performance and effectiveness of the quality management systems .
-

IMS Manual
10.2 Non-Conformity and Corrective action

when a non-conformity occurs including any arising from complaints, the organization shall
a) Act to control and correct it

b) Deal with the consequences
c) Evaluate the need for action to eliminate the clauses of the non-conformity in order that it
does not recur or occur elsewhere by:
a. Reviewing and analysing the non-conformity
b. Determine the causes of non-conformities
c. Determine if similar non-conformities exist or could potentially occur;
d) Implement any action needed, review the effectiveness of any corrective action taken,
update risk and opportunities determined during planning, make necessary changes in the
Information Security Management System.
The record of this effect shall be maintained in the form of CAPA.
Reference:
Non-conformity & Corrective action
SOP for Non-Conforming and Corrective Action
10.3 Continual Improvement
The projects for the continual improvement shall be taken and reviewed at defined intervals.
Annex A requirements are addressed in Statement of Applicability Ref: ASPL-ISMS-SOA-V1.0
………………………………………………. The End ……………………………………………


Aspl Man 01

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aspl Man 01

Uploaded by

Copyright:

Available Formats

Integrated Management System Manual

CISO IMS Manager (Director Sales) Director Prod.

Reference Clause of the

3.3 Brief history of the company A A A A 9

4.0 Context of the organization A A A A 10

4.1 Understanding the organization and its context A A A A 10

4.2 Understanding the needs and expectations of 11

4.3 Determining the scope of the Integrated 11

4.4 Integrated management system A A A A 13

5.1 Leadership and commitment A A A A 13

5.1.2 Customer Focus A A A A 14

5.2.1 Establishing the Integrated policy A A A A 15

5.2.2 Communicating the Integrated policy A A A A 15

5.3 Organizational roles, responsibilities and 15

5.4 Consultation & Participation of worker NA NA NA A

MR CISO Director Prod.

6.1.1 Actions to address risks and opportunities A A A A 16

6.1.2 Environmental aspects NA NA A NA

6.1.2 Hazard identification and assessment of risks

6.2 Objectives of the Integrated management 16

6.3 Planning of changes A NA NA NA 17

7.5 Documented information A A A A 20

8.1 Operational planning and control A A A A 22

8.2 Information Security and Risk Assessment NA A NA NA 24

8.3 Information Security Risk Treatment NA A NA NA 25

8.2 Requirement for Product & services A NA NA NA 23

8.2 Emergency preparedness and response NA NA A A

8.3 Design and Development of products and

8.4 Control of Externally provided processes, 23

8.5 Production and service provision A NA NA NA 27

8.5.1 Control of production and service provision A NA NA NA 27

8.5.2 Identification and traceability A NA NA NA 27

8.5.3 Property belonging to customers or external A NA NA NA 28

MR CISO Director Prod.

8.5.5 Post-delivery activities A NA NA NA 28

8.5.6 Control of changes A NA NA NA 28

8.6 Release of products and services A NA NA NA 28

8.7 Control of nonconforming outputs A NA NA NA 29

9.0 Performance evaluation A A A A 29

9.1 Monitoring, measurement, analysis and 29

9.2 Internal audit A A A A 29

9.3 Management review A A A A 31

10.2 Nonconformity and corrective action A A A A 33

10.3 Continual Improvement A A A A 33

NA= Not Applicable

About the IMS Manual

MR CISO Director Prod.

Place: Noida Director

Abbreviations and Acronyms

MR CISO Director Prod.

NCR Non-Conforming Report

1.0 Issue Control

MR CISO Director Prod.

Copy No: Holder

NOTE: Director copy shall be treated as the Master Copy

Sr. No. Date Issue no. Remarks

MR CISO Director Prod.

3.3 Brief history of the company and About the Organization:

MR CISO Director Prod.

4.0 Context of the Organization

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the Integrated Management System

When determining this scope, Addon Shareware have consider: