Audit Committee, 4 June 2019

BSI ISO10002:2014, ISO9001:2015 and ISO27001:2013 audit reports

Executive summary and recommendations

Introduction

HCPC have been audited by BSI for ISO certifications three times so far in 2019.

The ISO10002:2014 audit covered Service Complaints and customer service and is
carried out on an annual basis. No nonconformance or opportunities for improvement
were noted.

The ISO9001:2015 Quality Management System audit is the first of two audit sessions
in 2019. The findings are as follows.

• Minor nonconformance: Lack of awareness, of location and meaning of Quality

Policy and objectives.
• Minor non-conformance: Measuring quality objectives (Objective measures) in
HR, turnover targets should be measurable and potentially based on location and
type of employees.
• Opportunity for Improvement: Simplify the internal and external audits schedule.

The ISO27001:2013 information security audit is carried out on an annual basis. The
findings are as follows.

• Minor nonconformance: Objective measures (KPIs) for website availability falling

below target was not discussed and recorded in SMT minutes.

Decision

The Audit Committee is asked to note the reports.

Resource implications

None known

Appendices
• BSI Audit report ISO10002:2014 – February 2019
• BSI Audit report ISO9001:2015 – April 2019
• BSI Audit report ISO27001:2013 – April 2019

Date of paper

20 May 2019

Audit Committee
4 June 2019
Page 1
 Assessment Report

Health & Care Professions

Council

Assessment dates 21/02/2019 to 22/02/2019 (Please refer to Appendix for details)

Assessment Location(s) London (000)
Report author Ali Mian
Assessment Standard(s) ISO 10002:2014

Audit Committee
Page 1 of 26
4 June 2019
Page 2
 Assessment Report.

Table of contents
Executive summary ...................................................................................................................................................... 3
Changes in the organization since last assessment ..................................................................................................... 4
NCR summary graphs ................................................................................................................................................... 5
Your next steps ............................................................................................................................................................. 6
NCR close out process .............................................................................................................................................. 6
Assessment objective, scope and criteria .................................................................................................................... 7
Assessment participants .............................................................................................................................................. 8
Assessment conclusion ................................................................................................................................................ 9
Findings from this assessment ...................................................................................................................................10
Opening meeting: changes to the Complaints Management System since the previous assessment: ................10
ISO 10002:2014 Complaint Management System Requirements - Clauses 4,5,6,7.1,8: .......................................11
Top Management Discussion - Clause 5.3.1: .........................................................................................................15
Operation of Complaints Handling process - ISO 10002:2014 Clause 7: ...............................................................15
Next visit objectives, scope and criteria .....................................................................................................................18
Next visit plan .............................................................................................................................................................19
Appendix: Your certification structure & ongoing assessment programme..............................................................20
Scope of certification .............................................................................................................................................20
Assessed location(s) ...............................................................................................................................................20
Certification assessment programme ....................................................................................................................21
Mandatory requirements – recertification ............................................................................................................22
Definitions of findings: ...........................................................................................................................................24
How to contact BSI.................................................................................................................................................25
Notes ......................................................................................................................................................................25
Regulatory compliance ..........................................................................................................................................26

Audit Committee
Page 2 of 26
4 June 2019
Page 3
 Assessment Report.

Executive summary
Congratulations! A positive recommendation for continued certification to ISO 10002:2014 is being
made.

The complaints management system was shown to support the organisation’s strategic direction and
intended results as explained by the Head of Business Process Improvement, Quality Compliance Auditor
and the Executive Director of Policy and External Relations and defined in the organisation’s objectives.
This was also evidenced, for example, via a culture of quality and performance, attention to service
improvements, manifest continual improvement activities and an ongoing good demonstration of intent
to ensure its CMS is effectively implemented and improved.

HCPC's Service and Complaints Management continues to make positive ongoing improvements to the
complaints management system to improve its effectiveness and compliance with ISO 10002:2014
Standard.

Key positive elements observed during the assessment:

a. Detailed preparation of the CMS Documents for this assessment
b. Improvement initiatives based on recommendations from internal and external reviewers and
feedback from the senior leaders of the organisation.
c. Comprehensive monitoring and review (both internal and external) of the complaints management
system.

The interview with the Executive Director of Policy and External Relations confirmed that the
organisation places value upon the certification citing for example:
- Improving performance;
- Client Focus;
- Discipline;
- ISO 10002 has become part of the culture.

Auditees interviewed demonstrated system effectiveness in their work throughout with a good standard
of planning relative to managing customer relationships.

Assessment durations were also discussed and the process was explained and agreed with the Client.
The Risk / Complexity Level remains unchanged. The number of staff was confirmed and was used to
confirm the frequency and duration of assessment visits (Effective Number of Employees = 29 for this
location). The number of visit days remains adequate.

Sampled processes at this assessment have been shown as having been applied in a controlled &
intended manner. There have been neither non-conformities nor opportunities for improvement raised
as a result of this assessment. Record keeping was good throughout the audit and retrieval of records
was prompt.

This assessment demonstrated that the complaints management system is working effectively and
consequently can be recommended for re-certification. The recommendation will be independently
verified within BSI. Upon verification your certificate of certification will be issued.

I would like to thank all participants for their help and co-operation which helped the assessment to run
smoothly and to schedule.

Audit Committee
Page 3 of 26
4 June 2019
Page 4
 Assessment Report.

Changes in the organisation since last assessment

There is no significant change of the organisation structure and key personnel involved in the audited
management system.

No change in relation to the audited organisation’s activities, products or services covered by the scope
of certification was identified.

There was no change to the reference or normative documents which is related to the scope of
certification.

Audit Committee
Page 4 of 26
4 June 2019
Page 5
 Assessment Report.

NCR summary graphs

There have been no NCRs raised.

Audit Committee
Page 5 of 26
4 June 2019
Page 6
 Assessment Report.

Your next steps

NCR close out process

There were no outstanding nonconformities to review from previous assessments.

No new nonconformities were identified during the assessment. Enhanced detail relating to the overall
assessment findings is contained within subsequent sections of the report.

Please refer to Assessment Conclusion and Recommendation section for the required submission and
the defined timeline.

Audit Committee
Page 6 of 26
4 June 2019
Page 7
 Assessment Report.

Assessment objective, scope and criteria

The objective of the assessment was to conduct a reassessment of the existing certification to ensure
the elements of the proposed scope of registration and the requirements of the management standard
are effectively addressed by the organisation's management system.

The scope of the assessment is the documented management system with relation to the requirements
of ISO 10002 and the defined assessment plan provided in terms of location and areas of the system
and organisation to be assessed.

ISO 10002:2014
Health & Care Professions Council management system documentation.

Audit Committee
Page 7 of 26
4 June 2019
Page 8
 Assessment Report.

Assessment participants
Opening Closing Interviewed
Name Position
meeting meeting (processes)
Head of Business
Roy Dunn Process X X X
Improvement
Quality Compliance
Auditor / Service
Ewan Shears X X X
and Complaints
Manager
Executive Director
Jacqueline Ladds of Policy and X
External Relations
Transactions
Chantelle Mayoss Manager, Finance X
Dept
Head of Policy and
Katherine Timms X
Standards
Head of
Alan Shillabeer X
Investigations, FTP
Head of Case
Sarita Wilson Reception & X
Triage, FTP
Registration
Adam Mawson X
Manager
Registration
Sami Yemane X
Manager

Audit Committee
Page 8 of 26
4 June 2019
Page 9
 Assessment Report.

Assessment conclusion
BSI assessment team

Name Position
Ali Mian Team Leader

Assessment conclusion and recommendation

The audit objectives have been achieved and the certificate scope remains appropriate. The audit team
concludes based on the results of this audit that the organisation does fulfil the standards and audit
criteria identified within the audit report and it is deemed that the management system continues to
achieve its intended outcomes.

RECOMMENDED - The audited organisation can be recommended for recertification to the above listed
Standard, and has been found in general compliance with the audit criteria as stated in the above-
mentioned audit plan.

Use of certification documents, mark / logo or report

The use of the BSI certification documents and mark / logo is effectively controlled.

Audit Committee
Page 9 of 26
4 June 2019
Page 10
 Assessment Report.

Findings from this assessment

Opening meeting: changes to the Complaints Management System since

the previous assessment:
• Introduction of Auditor and his role.
• Attendance record; confirmed.
• Confirm BSI’s NDA.
• Ascertain confidentiality of audits; confirmed.
• Conditions of Service (in BSI proposal document).
• Confirm assessment standards = ISO 10002:2014.
• Scope:- "The operation of a Complaints Management System to the requirements of ISO 10002:2014".
This has been considered during this audit and would appear accurate to the activities and nature of the
organisation at this time.
• Confirm number of staff in scope = 29.
• Confirm Effective number of staff in scope = 29.
• Clarify any exclusion - N/A.
• Clarify which site this audit applies to - Park House 184 - 186 Kennington Park Road London SE11 4BU
United Kingdom.
• Clarify Client has access to and is using the BSI Assurance Portal: Yes, confirmed. Client has full
access to Portal, however, has yet not started to fully use it. The benefits and value of the Portal have
been explained to the Client during the Opening Meeting.
• Clarify any changes to Client organisation since last audit: None that would affect registration.
Changes and improvements to the organisation since the last audit include:
~ The Executive Management Team no longer exists, replaced by the Strategic Management Team (4
people).
~ Operations Management Team established.
~ Created new department: Quality Assurance Dept (Head of Business Process Improvement is part of
this).
~ Ewan Shears (Quality Compliance Auditor, replacing Kayleigh Birtwistle in the role) is doing
secondment of the Service and Complaints Manager role.
~ Slight amendment to process: No longer prioritize every repeat complaint from the individual,
reflected in the process, signed off by SMT in Jan 2019.
~ The role of Director of Council and Committee Services no longer exists, now Head of Governance.
~ Investment in technology: getting a new Registration system, new Website.
~ Secretariat no longer exists, now Governance. They no longer deal with complaints, Quality Assurance
Dept take responsibility of this.
~ FTP OPS / A&D now known as A&D, all complaint management centralized to the Service +
Complaints Manager.
• Explain audit methodology, and audit findings reporting; complete.
• Seek objective evidence of conformity via interview & observation, note taking, audit trails &
assessment based on sampling.
• Minors, Majors Imp Ops, good practice, no consultancy; confirmed.
• Possible audit outcomes. Recommendation for certification. However, if Major nonconformity raised
then a revisit is required; failure to complete any proposed revisit may result in recommendation not
being made.
• Request for guides and /or person-in-charge of processes; confirmed.
• Clarify specific health and safety requirements, fire alarm tests; confirmed.
• Clarify availability of relevant reference documents and standards; confirmed.
• Room for writing report.

Audit Committee
Page 10 of 26
4 June 2019
Page 11
 Assessment Report.

• Breaks, lunch.
• Closing meeting time, date; confirmed.
• Appeals & Complaints information in the BSI terms of Service.
• Do we need a PO = No.
• Dialogue with regulators prosecutions prohibitions made or pending - None.
• Complaints received by BSI - None.
• Use of logos; Not Used.
• Questions; None.

It was stated that there have been no major changes to the CMS; nothing observed during the course of
this audit would suggest anything to the contrary.

ISO 10002:2014 Complaint Management System Requirements -

Clauses 4,5,6,7.1,8:
Planned activities: Review of the organisation's complaint management system. Review and evaluate
level of understanding, system status, key performance measures, processes, objectives, applicable
documented information and operation of the management system.

Methods for determining process results are: - Recommendation to continue with the ISO 10002:2014
certification.

The processes were effective and planned activities and results achieved in all areas assessed.

The Guiding Principles and specific requirements of the Standard were verified to be effectively planned
and executed. The assessment confirmed the following CMS mandatory Controls to be in place.
Documented information seen and topics discussed: -

• Discussions held with the Head of Business Process Improvement and the Quality Compliance Auditor
in attendance.

• A combination of electronic and hard copy media is employed for the management of the CMS
activities.

• Evidence was seen of how the CMS provides version control. The required structure of documented
procedures is fully developed and the organisation has determined the extent to which documented
procedures are required.

• A template for procedures is fully developed and a range of factors influencing the need for
procedures, including business risk, likely capability of users, process complexity have been considered.

• The organisation has established processes and tools to fulfil customer needs.

• The SMT and the CEO have reviewed and endorsed the Customer Service Policy on 05th July 2018 to
ensure relevant statutory and regulatory requirements have been met. The Policy is appropriate to the
organisation and contains all elements required by the Standard.

Audit Committee
Page 11 of 26
4 June 2019
Page 12
 Assessment Report.

• HCPC Customer Services Procedure updated 25th Oct 2018. The organisation has developed good
processes for complaints management, from determination of requirements to response to the
complainant. This is supported through regular communication where employees are updated with
regards to changes and issues which are on the horizon. Documented information is retained to ensure
that the performance of the CMS is effectively implemented. All documents have referencing convention
applied. Records were also noted as being retained as required, with the assessor having access to all
requested records throughout.

• As seen and reviewed in previous BSI Assessments:

a. Accessibility: The organisation demonstrated an effective complaint handling process which is
accessible to all personnel. Information regarding complaints is available to all complainants via the
website. Accessibility includes clear supporting information in how to make and process a complaint (as
above).
b. Responsiveness: The organisation has effectively planned its complaints handling process in the
documented HCPC Customer Services Procedure available on the HCPC Intranet. Aims: To acknowledge
receipt of feedback within 3 working days. To respond to feedback within 15 working days. To keep you
regularly updated as to the progress of your enquiry if the issue has not been resolved within agreed
times. To deal with all feedback in an effective, fair and confidential manner. To ensure continuous
learning is taken from feedback and implemented. Procedure also provides processes for Stage 1, Stage
2, Stage 3 and Outcome of Complaints.
manner.
c. Objectivity: Objectivity in processing a complaint was demonstrated in an equitable an unbiased
manner.
d. Charges: Access to the complaints-handling process is free of charge to the complainant.
e. Confidentiality: Processes are in place to protect personal identifiable information from disclosure. All
complaints will be treated in strict confidence.
f. Customer-focused approach: The Service and Complaints Management demonstrated an effective
customer-focussed approach, this included processes to be more customer centric communicated across
the organisation. There was evidence of commitment in resolving complaints through its corrective
action process. The Service and Complaints Management have developed processes to support values
and behaviours which are focussed on continuous improvement through the robust complaints
awareness updates, articles and posts on the HCPC Intranet.
g. Accountability: Responsibilities and accountability are formalised and documented within the HCPC
Customer Services Procedure. The Service and Complaints Manager is accountable for reporting on the
actions and decisions of HCPC with respect to Customer Services. Job Description seen for: Service and
Complaints Manager.
h. Continual Improvement: The organisation demonstrated continual improvement which included
formalisation of its complaints process to achieve the requirements of this Standard. Management
Review meetings are held to progress product and process improvements.
i. The organisation has determined necessary channels to publicise methods to make a complaint. These
include:-
- Website;
- By Post;
- Email: [email protected];
- By phone;
- Complaint Form.
The organisation demonstrated visibility for its customers with regard to its complaints handling system.

Audit Committee
Page 12 of 26
4 June 2019
Page 13
 Assessment Report.

• SMT, 14th January 2019: Review of ISO 10002:2014 (Customer Service) Policy, Processes and
Procedures. Executive Summary and Recommendations. Confirmation and verification that the Customer
Services Policy, Procedure and Management System processes have been reviewed by the SMT,
considered and approved. Flow-Charts established for: QA Customer Complaints and QA Customer
Complaints Review.

• Effectively planned processes were evidenced focused on improving customer satisfaction,

requirements of interested parties and operational control. This supports the complaints handling
process framework, policy and objectives. Interrelated activities were evidenced which demonstrated
effective execution of planned arrangements, resources and controls. The infrastructure and workplace
environment was conducive to achieving objectives. Documented objectives are aligned with the
customer complaints policy and are measurable. Performance is reviewed at regular management
meetings. The management team demonstrated commitment to achieving requirements and improving
the performance of supporting functions to reduce the level of customer complaints. Evidence seen:
a. External Training Provider (engaged to deliver training) 'Bond Solon' have provided customised
Service Complaints Management training to a number of employees in Sept 2017. The aim is to roll this
out again in 2019 due to positive feedback from the attendees.
b. Objectives have been developed around the strategy work streams. The following objectives have
been sampled detailing priority, initiatives, measuring activity, measuring impact, timelines
(completions) and responsibilities:
- To acknowledge receipt of feedback within 3 working days.
- To respond to feedback within 15 working days.
Metrics, in place (see below), effectively support the direction of the business. They are appropriate to
the size, nature and culture of the organisation. It was noted that where targets have not been achieved
appropriate action has been taken.

• Communications: Due to the scale of the organisation, this is easily achieved, through team
discussions, periodic management meetings and the use of electronic systems, such as email.

• Performance monitoring is a key driver for improvement. The organisation demonstrates appropriate
levels of monitoring and measurement to support the strategic direction of the organisation. Effective
processes are in place including communication channels to identify improvements to products and
processes. Evidence seen:
a. Customer Service Report - November 2018. The following has been reported:
- Received 47 complaints in November 2018.
- Main areas of negative feedback: Registration (33 complaints), FTP (10 complaints).
- All complaints received in Nov 2018 are closed.
- 35 of 45 complaints were responded to within the Customer Service standard of 15 working days. 2
complaints were closed without a response due to complaints being withdrawn.
- Complaints Outcomes: 20% Upheld, 60% Not Upheld, 20% Partially Upheld.
- Received 7 positive feedback letters or emails.
- Complaint Analysis - Number of complaints received from Jan 2014 to Nov 2018:
* Jan - Dec 2014: Total Number = 500, Monthly Average = 42, Comps per 1000 (yearly) 1.51.
* Jan - Dec 2015: Total Number = 518, Monthly Average = 43, Comps per 1000 (yearly) 1.52.
* Jan - Dec 2016: Total Number = 513, Monthly Average = 43, Comps per 1000 (yearly) 1.49.
* Jan - Dec 2017: Total Number = 417, Monthly Average = 35, Comps per 1000 (yearly) 1.16.
* Jan - Nov 2018: Total Number = 358, Monthly Average = 32, Comps per 1000 (yearly) 1.0.
- Complaint Responses within 15 Working Days 2014 - 18: Mostly meeting the Customer Service
Response Policy Target for this period.
- Positive Feedback Analysis - Numbers of feedback received from Jan 2014 to Nov 2018:
* Jan - Dec 2014: Yearly Monthly Average = 8.

Audit Committee
Page 13 of 26
4 June 2019
Page 14
 Assessment Report.

* Jan - Dec 2015: Yearly Monthly Average = 7.

* Jan - Dec 2016: Yearly Monthly Average = 7.
* Jan - Dec 2017: Yearly Monthly Average = 5.
* Jan - Nov 2018: Yearly Monthly Average = 4.

• The management team meet on a regular basis and pertinent issues are discussed without delay. A
formal review of the CMS is undertaken on a regular basis
a. SMT Bi-Weekly Meeting Documents dated 25th Sept 2018.
b. SMT Meeting Minutes dated 04th Dec 2018.
c. Bi-Monthly SMT Meeting Minutes dated 20th Nov 2018.

• Auditing of the Complaints-Handling Process undertaken by an impartial/independent auditor. Sampled

the following completed Internal Audit Report:
a. Audit Date: 19th Nov 2018, Date Report Issued: 15th Feb 2019. Processes or tasks being audited:
Complaints & Customer Service. 1 x OFI identified, Action Plan seen. Recommendations are effectively
logged and processed through improvement initiatives / corrective action processes. The resulting
Report was excellent and indicative of a very thorough investigation with clearly presented findings that
ably demonstrated system effectiveness. Corrective actions derived from the audit are noted as ongoing
tasks - ensuring processes are followed and embedding the system in to day-to-day activities. The
internal audit interfaces with the corrective actions process well.

• Improvement: All elements of the CMS are seen to contribute to the overall principle of Continuous
Improvement. The organisation is seen to adopt a positive and progressive outlook in this area.
Reviewed the Improvement Log.

Overall:
- From this review it is considered that the requirements of Clauses 4,5,6,7.1 and 8 of the Standard
have been met within the documented system and that significant analysis and performance reporting is
conducted, thus providing good visibility.
- Record keeping was good throughout the audit and retrieval of records was prompt.
- Management commitment to its complaints handling process and policy was evidenced throughout the
assessment.
- Process performance monitoring and evaluation was demonstrated with active involvement by top
management.
- Communication and visibility of the complaints handling process was evidenced to be effectively
managed.
- There was evidence of effective interaction between all functions within the scope of certification.
- The management reporting on the system is comprehensive with detailed analysis of KPI's, giving the
Senior Management Team an accurate evaluation of all complaints. Meeting criteria, MI Reporting and
Internal Audit all demonstrate appropriate levels of monitoring and measurement by Top Management
to support the strategic direction of the organisation. It has been verified that the comprehensive
reporting tools the organisation has at its disposal, and in particular the trend analysis of complaints, is
undertaken to very good effect and these are statistically comprehensive with detailed comparables.
- Good direct customer contact and follow up is regularly practiced in the organisation through robust
investigation, response time and reporting. This enables accurate feedback, minimizes dissatisfaction
and drives continual improvement.

Audit Committee
Page 14 of 26
4 June 2019
Page 15
 Assessment Report.

Top Management Discussion - Clause 5.3.1:

The Executive Director of Policy and External Relations represented senior management during this
assessment.

The HCPC (Customer Service and Complaints) appears to be committed to certification and there were
strong levels of leadership demonstrated by the Executive Director of Policy and External Relations
throughout the top management discussion. The HCPC (Customer Service and Complaints)
demonstrates sound appreciation of the benefits of ISO 10002. The Executive Director of Policy and
External Relations demonstrated a good understanding of what is needed to drive resources
requirements as the organisation is aware of output requirements and objectives.

Operation of Complaints Handling process - ISO 10002:2014 Clause 7:

Planned activities: Review of the HCPC's complaints handling process in the following operational areas:-

- Finance;
- Policy;
- QA Customer Service;
- Fitness to Practice (FTP);
- Registrations.

Review and evaluate level of understanding, system status, key performance measures, sampling of a
selection of complaints, objectives, applicable documented information and operation of the complaints
management system.

Methods for determining process results are: - Recommendation to continue with the ISO 10002:2014
certification.

The processes were effective and planned activities and results achieved in all areas assessed.

Documented information seen and topics discussed: -

• Finance:
a. The scope of assessment included interview, observation and access to records.
b. Interview held with the Transactions Manager.
c. The type of complaints received relate to: people being removed for non-payment of fees, people
who have been on the Register and asked to be removed and then ask for a refund. No complaints
received in 2019 year to date.
c. The following complaint was selected for review:
- Registration No. SL27610 'Membership Fee Unpaid'. Received via Email 30th Nov 2018. Registrant Info
seen. 1st and 2nd Notification Letters sent (Missed DD Payment). Letter dated 07th Dec 2018 sent
'Removal from the HCPC Register'. Queried with the Registration Manager. Response to Complaint seen
dated 20th Dec 2018. Corrective Action: None. Advised Re-Admission.

Audit Committee
Page 15 of 26
4 June 2019
Page 16
 Assessment Report.

• Policy:
a. The scope of assessment included interview, observation and access to records.
b. Interview held with the Head of Policy and Standards.
c. 2 routes in for complaints: complaints referred in from the main Complaints Team and complaints
through the Policy Mailbox. Complaints predominantly related to Fees Consultation.
d. Policy and Standards Enquiries Log 2019 reviewed. Good system in place to track enquiries and
complaints.
d. The following complaint was selected for review:
- Complaint received directly into the Complaints Team via letter dated 22nd Nov 2018 'Re-Registration
of Clinical Biochemists on Returning to Work'. Correspondence Folder seen. Response to Complaint
(Letter) seen dated 18th Dec 2018.

• QA Customer Service:
a. The scope of assessment included interview, observation and access to records.
b. Interviews held with the Quality Compliance Auditor / Service and Complaints Manager and Head of
Business Process Improvement.
c. Various routes for receipt of complaints explained: HCPC Feedback Inbox, referrals from other
departments.
d. The complaints system is driven by the iExtensions Database. Complaints Log maintained for review
and monitoring, sampled: 15th Feb 2019 and 21 Feb 2019.
d. The following complaints were selected for review:
- HPC6179, dated 18th Feb 2019, New Ticket, Category: Registration Process, via email HCPC Feedback,
International SLT applying for Registration, delays and miscommunication experienced.
Acknowledgement via email seen dated 21st Feb 2019. Assigned to Manager in the Registration Team
for review. Response Due Date: 12th March 2019.
- HPC5988, dated 13th Nov 2018, via email HCPC Feedback, UK REG, complaint from a Registrant about
spending several hours trying unsuccessfully to renew online and being unable to get through on the
telephone to follow up the problems. Acknowledgement via email seen dated 13th Nov 2018. Assigned
to Manager in the Registration Team for review. Response via email seen dated 30th Nov 2018. Partially
Upheld. Status: Closed (within SLA).

• Fitness to Practice (FTP):

a. The scope of assessment included interview, observation and access to records.
b. Interviews held with the Head of Investigations, FTP and Head of Case Reception & Triage, FTP.
c. Complex, escalated cases following stages of: Case Receipt, Triage, Investigation, Case Management,
Conclusion. Case Handling protocols and FTP Operational Guidelines followed. As of 14th Jan 2019, new
Threshold Policy replaced Standard of Acceptance. FTP complaints now go centrally to feedback.
d. The following complaints were selected for review:
- On-going escalated case FTP Case Refs: 62018, 62072, 62177, 62607, 62608. Case related to
professionals not regulated by HCPC. Various stages of complaint correspondence, investigation seen
including current status which is escalation to the Head of FTP. Follow-on letter dated 05th Feb 2019
seen. The Head of FTP has responded to the complainant on 20th Feb 2019. Case remains under
review.
- Case Ref: FTP54349, latest receipt of complaint: 31st Jan 2019. Full Response is due.
- Case Ref: FTP58439, received: 25th Oct 2018. Responded to on: 08th Nov 2018.

Audit Committee
Page 16 of 26
4 June 2019
Page 17
 Assessment Report.

• Registrations:
a. The scope of assessment included interview, observation and access to records.
b. Interviews held with the Registration Managers.
c. Split into: UK Applications and International Applications (European Applications).
d. Systems in use: iExtensions, Lotus Notes, NetRegulate.
e. Document control: complaint responses are stored in d. Shared Drive 'G' Drive with only Managers
having access to it; complaints categorized into different categories.
f. The following complaints were selected for review:
- SW28153 - Registrant Information. Original complaint received via email: 13th Dec 2018. Complaint
regarding CPD Submission. Complaint Response seen dated 15th Jan 2019. Extended deadline for CPD
submission.
- OR05998 - Registrant Information. Original complaint received via email: 04th Jan 2019. Complaint
regarding voluntary de-registration declaration. Complaint Response seen dated 10th Jan 2019.
- HPC6160 New Ticket, received via email on 08th Feb 2019. International applicant is frustrated with
the lengthy application process. Communications History seen. Response to be drafted.
- SW16895 - Registrant Information. Complaint received on 13th Sept 2018.Complaint related to the
Renewal Process. Response sent on 04th Oct 2018.

Overall:
- The review of this aspect of the CMS has not revealed any areas of concern and the requirements of
ISO 10002:2014 were seen to be well established and embedded within the organisation.
- Business processes effectively established achieving intended outcomes.
- The complaints handling process was evidenced to be effectively planned and executed. Sampled
areas demonstrated a professional approach to customer contact communication.
- Planned activities have been realised.
- Planned results have been achieved.

Audit Committee
Page 17 of 26
4 June 2019
Page 18
 Assessment Report.

Next visit objectives, scope and criteria

The objective of the assessment is to conduct a reassessment of the existing certification to ensure the
elements of the proposed scope of registration and the requirements of the management standard are
effectively addressed by the organisation's management system.

The scope of the assessment is the documented management system with relation to the requirements
of ISO 10002 and the defined assessment plan provided in terms of location and areas of the system
and organisation to be assessed.

ISO 10002:2014
Health & Care Professions Council management system documentation.
Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation
of the visit by the organization within 30 days of an agreed visit date. It is a condition of registration
that a deputy management representative be nominated. It is expected that the deputy would stand in
should the management representative find themselves unavailable to attend an agreed visit within 30
days of its conduct.

Audit Committee
Page 18 of 26
4 June 2019
Page 19
 Assessment Report.

Next visit plan

Date Auditor Time Area/process Clause

23/01/2020 Assessor 1 09.00 DAY 1
Opening Meeting. Confirmation of any changes
to processes. Confirmation of scope of
assessment and assessment plan. BSI reporting
of findings.
09.30 Interview with Top Management
10.00 4.0 Guiding Principles
5.0 Complaints Handling Framework
6.0 Planning & Design
12.00 Lunch
13.00 8.0 Maintenance & Improvement
14.30 Operation of Complaints Handling process: Policy
& Standards
15.30 Report Writing Day 1
16.00 Progress Review Discussion
24/01/2020 Assessor 1 09.00 DAY 2
Arrival and Confirmation of Plan.
09.30 Operation of Complaints Handling process:
Finance
10.00 Operation of Complaints Handling process: QA
Customer Service
11.00 Operation of Complaints Handling process: FTP
12.30 Lunch
13.30 Operation of Complaints Handling process:
Registration
15.00 Report Preparation
16.00 Closing Meeting

Audit Committee
Page 19 of 26
4 June 2019
Page 20
 Assessment Report.

Appendix: Your certification structure & ongoing assessment

programme

Scope of certification

CMS 645851 (ISO 10002:2014)

The operation of a Complaints Management System to the requirements of ISO 10002:2014.

Assessed location(s)

London / CMS 645851 (ISO 10002:2014)

Location reference 0047125084-000
Address Health & Care Professions Council
Park House
184-186 Kennington Park Road
London
SE11 4BU
United Kingdom
Visit type Re-certification Audit (RA Opt 2)
Assessment reference 8838865
Assessment dates 21/02/2019
Deviation from audit plan No
Total number of Employees 29
Effective number of 29
Employees
Scope of activities at the site Main certificate scope applies.
Assessment duration 2 day(s)

Audit Committee
Page 20 of 26
4 June 2019
Page 21
 Assessment Report.

Certification assessment programme

Certificate number - CMS 645851

Location reference - 0047125084-000

Audit1 Audit2 Audit3

Business area/location Date (mm/yy): Jan19 Jan20 Jan21
Duration (days): 2 2 2
Opening Meeting. Confirmation of any changes to processes. X X X
Confirmation of scope of assessment and assessment plan.
BSI reporting of findings.
Interview with Top Management X X X
4.0 Guiding Principles X X X
5.0 Complaints Handling Framework X X X
6.0 Planning & Design X X X
Operation of Complaints Handling process: Sample X X X
Directorate Based Activity:-
- Registrations
- FTP
- Policy + Standards
- Finance
- QA Customer Service
8.0 Maintenance & Improvement X X X

Audit Committee
Page 21 of 26
4 June 2019
Page 22
 Assessment Report.

Mandatory requirements – recertification

Review of assessment finding regarding conformity, effectiveness and relevance of the

management system:
Previous visit reports have been reviewed and appropriate conclusions drawn from the data which have
been included in this report. No Non-conformities have been raised during this assessment cycle, with
no trends identified or concerns raised in other findings.

Overall, continual improvement is demonstrated.

Management system strategy and objectives:

Management set key objectives with regards to performance deliverables, these were included in the
management system and were seen to be monitored via regular management review meetings. Policies
and objectives are communicated to all employees via the management system documentation.
Management showed commitment to ensure that the complaints management system is designed and
maintained to deliver continual improvement, customer focus and business effectiveness and efficiency.

The organisation's management system continues to remain effective. The organisation demonstrates
effective interaction of core process requirements of the Standard, such as management review process,
internal audit process, policy establishment and objective measurement and performance review. This
commitment and approach is set to be continued for the foreseeable future.

Review of progress in relation to the organisation's objectives:

Progress against objectives is monitored on a regular basis, as detailed within this report. HCPC
(Customer Service + Complaints) demonstrated compliance with the Standard. The HCPC (Customer
Service + Complaints) has consistently managed the number of complaints over the last 12 months.
Individual complaints are effectively monitored, measured and investigated to the point of resolution.
There is a dedicated focus to improve processes and best practice around customer service which is
being shared with the whole organisation. A lot of work has been done to improve customer focus
(improving service to Registrants), managing organisational change and preparing for the impact of the
forthcoming regulatory changes, which was discussed with the Executive Director of Policy and External
Relations. Evidence seen of the hard work and commitment put into this work. Also, it has been
reported that senior management and the organisation are very hands on and customer focused.

Management demonstrate that objectives and values are incorporated into the CMS.

Audit Committee
Page 22 of 26
4 June 2019
Page 23
 Assessment Report.

Review of assessment progress and the recertification plan:

The scope of activities has remained constant since the last BSI assessment. It was confirmed that all
services across the organisation have been included within the assessment cycle together with top level
(core) management system processes.

The visits were aligned to the Certification Assessment Programme, which covered all activities under
the scope of registration and the clauses of the ISO 10002:2014 Standard, with overlaps.

The Client’s address and contact details have been checked and confirmed as correct. The proposed
Certification Assessment Programme has been reviewed and updated for the next certification cycle.

The assessment duration cycle and duration time is correct at 2 days per annum based on the number
of effective employees /scope of certification (29 staff at this location).

BSI client management impartiality and surveillance strategy:

Appropriate P and T codes are held by the assessor. Impartiality has been maintained. Additional
assessors will be introduced as required in future visits.

Continue with the current total assessment days/cycle.

Audit Committee
Page 23 of 26
4 June 2019
Page 24
 Assessment Report.

Definitions of findings:

Nonconformity:
Non-fulfilment of a requirement.

Major nonconformity:
Nonconformity that affects the capability of the management system to achieve the intended results.
Nonconformities could be classified as major in the following circumstances:
• If there is a significant doubt that effective process control is in place, or that products or services
will meet specified requirements;
• A number of minor nonconformities associated with the same requirement or issue could
demonstrate a systemic failure and thus constitute a major nonconformity.

Minor nonconformity:
Nonconformity that does not affect the capability of the management system to achieve the intended
results.

Opportunity for improvement:

It is a statement of fact made by an assessor during an assessment, and substantiated by objective
evidence, referring to a weakness or potential deficiency in a management system which if not improved
may lead to nonconformity in the future. We may provide generic information about industrial best
practices but no specific solution shall be provided as a part of an opportunity for improvement.

Observation:
It is ONLY applicable for those schemes which prohibit the certification body to issue an opportunity for
improvement.
It is a statement of fact made by the assessor referring to a weakness or potential deficiency in a
management system which, if not improved, may lead to a nonconformity in the future.

Audit Committee
Page 24 of 26
4 June 2019
Page 25
 Assessment Report.

How to contact BSI

'Just for Customers' is the website that we are pleased to offer our clients following successful
registration, designed to support you in maximising the benefits of your BSI registration - please go to
www.bsigroup.com/j4c to register. When registering for the first time you will need your client reference
number and your certificate number (47125084/CMS 645851).

Should you wish to speak with BSI in relation to your registration, please contact our Customer
Engagement and Planning team:

Customer Services
BSI
Kitemark Court,
Davy Avenue, Knowlhill
Milton Keynes
MK5 8PP

Tel: +44 (0)345 080 9000

Email: [email protected]

Notes

This report and related documents are prepared for and only for BSI’s client and for no other purpose.
As such, BSI does not accept or assume any responsibility (legal or otherwise) or accept any liability for
or in connection with any other purpose for which the Report may be used, or to any other person to
whom the Report is shown or in to whose hands it may come, and no other persons shall be entitled to
rely on the Report. If you wish to distribute copies of this report external to your organization, then all
pages must be included.

BSI, its staff and agents shall keep confidential all information relating to your organization and shall not
disclose any such information to any third party, except that in the public domain or required by law or
relevant accreditation bodies. BSI staff, agents and accreditation bodies have signed individual
confidentiality undertakings and will only receive confidential information on a 'need to know' basis.

This audit was conducted on-site through document reviews, interviews and observation of activities.
The audit method used was based on sampling the organization’s activities and it was aimed to evaluate
the fulfilment of the audited requirements of the relevant management system standard or other
normative document and confirm the conformity and effectiveness of the management system and its
continued relevance and applicability for the scope of certification.

As this audit was based on a sample of the organization’s activities, the findings reported do not imply
to include all issues within the system.

Audit Committee
Page 25 of 26
4 June 2019
Page 26
 Assessment Report.

Regulatory compliance

BSI conditions of contract for this visit require that BSI be informed of all relevant regulatory non-
compliance or incidents that require notification to any regulatory authority. Acceptance of this report
by the client signifies that all such issues have been disclosed as part of the assessment process and
agreement that any such non-compliance or incidents occurring after this visit will be notified to the BSI
client manager as soon as practical after the event.

Audit Committee
Page 26 of 26
4 June 2019
Page 27
 Assessment Report

Health & Care Professions

Council

Assessment dates 09/04/2019 to 10/04/2019 (Please refer to Appendix for details)

Assessment Location(s) London (000)
Report author SathishKumar Seenuvasan
Assessment Standard(s) ISO 9001:2015

Audit Committee
4 June 2019
Page 28
 Table of contents
Executive summary .............................................................................................................. 3
Changes in the organization since last assessment ................................................................. 4
NCR summary graphs .......................................................................................................... 5
Your next steps ................................................................................................................... 6
NCR close out process ...................................................................................................... 6
Assessment objective, scope and criteria ............................................................................... 7
Assessment participants ....................................................................................................... 8
Assessment conclusion ......................................................................................................... 9
Findings from this assessment ............................................................................................ 10
Opening Meeting: ........................................................................................................... 10
Quality Management System - Policy, Objectives, Changes, Plan to achieve : ..................... 10
Risk Register - Planning: ................................................................................................. 11
Work Environment, Infrastructure and Facilities Management: .......................................... 12
Senior Management Interview: ........................................................................................ 12
Finance - Procurement (Purchasing and Suppliers): .......................................................... 13
Finance - Transactions: ................................................................................................... 13
Finance - Forecasting: .................................................................................................... 13
Projects: ........................................................................................................................ 14
Internal Audit, Corrective Action and Improvement: ......................................................... 14
Management Review and Improvement: .......................................................................... 15
Minor (2) nonconformities arising from this assessment. ...................................................... 16
Next visit objectives, scope and criteria ............................................................................... 18
Next visit plan.................................................................................................................... 19
Appendix: Your certification structure & ongoing assessment programme ............................. 20
Scope of certification ...................................................................................................... 20
Assessed location(s) ....................................................................................................... 20
Certification assessment programme ............................................................................... 21
Mandatory requirements – Recertification ........................................................................ 23
Justified exclusions / Non applicable clauses .................................................................... 24
Expected outcomes for accredited certification ................................................................. 24
Definitions of findings: .................................................................................................... 25
How to contact BSI ......................................................................................................... 25
Notes ............................................................................................................................. 25
Regulatory compliance .................................................................................................... 26

Audit Committee
4 June 2019
Page 29
Executive summary
The commitment and involvement of Top Management in establishing a Process driven approach in
achieving the desired outputs of the Quality management system is evident through the Bimonthly SMT
meetings and periodical employee meetings and a transparent communication and policy setup in place.

Risk assessment planning and mitigation plans in place at the organisation proves the amount of
dedication and commitment of the Quality Management System and its processes towards fulfilling the
needs and expectations of the stakeholders.

The organisation has shown care and due diligence in understanding their context and determining the
scope of the Quality Management System and Change management in formulating their strategic policy
to achieve the Organisations Business objectives and goal.

The Organisations well defined and implemented Internal Audit program, Management review planning
(Bimonthly SMT Meetings) and process based approach to mitigate / avoid risks and use of the available
opportunities are good examples of the organisations care / concern in achieving the desired results.

During the process of this assessment two minor non conformities and one opportunity for improvement
were found due to the incoherence of few processes in place.

And during the previous assessment cycle the Organisation has taken consider steps in finding the root
cause for the NCs raised by BSI assessors and took appropriate corrective actions in averting the
reoccurrence of any such events / findings and placed processes and system in place for continual
improvement.

As a result of the assessment, it is now appropriate to make a positive recommendation for

recertification of ISO 9001:2015 and your certificate will be forwarded post completion of BSI review on
the assessment report. We BSI thank you all participants of the assessment from Health and Care
Professions Council for your co-operation and support during this Recertification assessment.

Audit Committee
4 June 2019
Page 30
Changes in the organization since last assessment
The following changes in relation to organization structure and key personnel involved in the certified
management system were noted:

New Chair of Council was appointed on 01 Mar 2019.

The following changes in relation to the certified organization activities, products or services covered by
the scope of certification were identified:

Implementation of new version of QMS /IMS will be carried out in April /May 2019.
Transfer of Social Workers from HCPC to SWE is expected shortly and the organisation is planning and
implementing the processes and procedures for the successful changeover process.

There was no change to the reference or normative documents which is related to the scope of
certification.

Audit Committee
4 June 2019
Page 31
NCR summary graphs
Areas of the standard(s) where BSI recorded findings

Which standard(s) BSI recorded findings against

Audit Committee
4 June 2019
Page 32
Where BSI recorded findings

Your next steps

NCR close out process

There were no outstanding nonconformities to review from previous assessments.

2 minor nonconformities requiring attention were identified. These, along with other findings, are
contained within subsequent sections of the report.
A minor nonconformity relates to a single identified lapse, which in itself would not indicate a breakdown
in the management system's ability to effectively control the processes for which it was intended. It is
necessary to investigate the underlying cause of any issue to determine corrective action. The proposed
action will be reviewed for effective implementation at the next assessment.

Please refer to Assessment Conclusion and Recommendation section for the required submission and
the defined timeline.

Audit Committee
4 June 2019
Page 33
Assessment objective, scope and criteria
The objective of the assessment was to ascertain the integrity of the organization's management system
over the current assessment cycle to enable recertification and confirm the forward strategic assessment
plan.

The scope of the assessment is the documented management system with relation to the requirements
of ISO 9001 : 2015 and the defined assessment plan provided in terms of locations and areas of the
system and organization to be assessed.

ISO 9001 : 2015

Health and Care Professions Council management system documentation

Audit Committee
4 June 2019
Page 34
Assessment participants
Opening Closing Interviewed
Name Position
meeting meeting (processes)
Head of Business
Roy Dunn Process X X X
Improvement
Quality Compliance
Ewan Shears X X X
Auditor
Office Services
James McMahon X
Manager
Aled Rees Facilities Manager X
Interim Head of
Margaret Osibowale Finance - X
Accounting
Procurement
Antonio Pinheiro X
Officer
Interim Head of
Paul Cooper X
Projects
Executive Director,
Jacqueline Ladds Policy & External X
Relations
Head of Policy and
Katherine Timms X
Standards
Transaction
Chantelle Mayoss X
Manager
Chief Executive
Marc Seale X
and Registrar

Audit Committee
4 June 2019
Page 35
Assessment conclusion
BSI assessment team

Name Position
SathishKumar Seenuvasan Team Leader

Assessment conclusion and recommendation

The audit objectives have been achieved and the certificate scope remains appropriate. The audit team
concludes based on the results of this audit that the organization does fulfil the standards and audit
criteria identified within the audit report and it is deemed that the management system continues to
achieve its intended outcomes.

RECOMMENDED - Corrective Action Plan Required ('Minor' findings only): The audited organization may
be recommended for continued certification, based upon the acceptance of a satisfactory corrective
action plan for all 'Minor' findings as shown in this report. Effective implementation of corrective actions
will be reviewed during the next surveillance audit.

Please submit a plan to BSI detailing the nonconformity, the cause, correction and your proposed
corrective action, with responsibilities and timescales allocated. The plan is to be submitted no later than
17/04/2019 by e-mail to [email protected], referencing the report number, or through the BSI
Assurance Portal if this is enabled for your account.

Use of certification documents, mark / logo or report

The use of the BSI certification documents and mark / logo is effectively controlled.

Audit Committee
4 June 2019
Page 36
Findings from this assessment

Opening Meeting:
The Recertification Assessment visit plan for ISO 9001:2015 was discussed and briefed to the client and
the opening meeting was attended by the Head of Business Process Improvement and Quality
Compliance Auditor.
The client has requested for minor amendments in the assessment plan with respect to the availability
of Process owners and Top Management availability and the same was reviewed and found acceptable.
Availability of key personnel for interview and documents systems needed for the assessment were
confirmed with the client.
The strategic review pack was discussed with the client and briefed in detail about the findings of the
previous assessment cycle.

Quality Management System - Policy, Objectives, Changes, Plan to

achieve :

Objective Evidence / Discussions/Process Reviewed.

Quality Management System

In determining the scope of the Quality management system the organisation has carried out a detailed
analysis of internal and external issues and the needs and expectations of the interested parties, which
is evident through the organisation's Risk Management Process and QMS Manual.
Continual improvement of the QMS is being carried out by the periodical review of the effective
performance of the processes and their interactions through the Objective performance reviews and Bi
monthly SMT meetings.
New version of the QMS is in draft stage and SharePoint version will be made available in end April
/early May.

Quality Policy
Reviewed once in a year as well as when there is a need due to change in internal and external factors
that affect the performance of the QMS.
Control and approving authority of the Policy follows a streamlined process - Changes drafted by the
Quality Manager and approved by SMT.
Policy is communicated to all employees and other interested parties through the HCPC intranet and
HCPC website, however, the lack awareness of the Policy and relevant Quality objectives was found
among few employees and resulted a Minor NC (Ref 1763278-201904-N1).

Quality Objectives
Individual department KPIs that results the delivery of desired QMS outputs are established and being
monitored and requisite actions being taken in achieving desired results; however, the lack of
measurable objectives in case of HR and Project departments has resulted a Minor NC (Ref 1763278-
201904-N2).

Effectiveness of the System and Process were reviewed with the following evidences:-

Health and Care Professional Council Quality Management Manual 20190310-9001_2015.

HCPC Consolidated Legislation dated 01 Aug 2012.
Rec 1.6A Roles and responsibilities V1.5 Combined ISO

Audit Committee
4 June 2019
Page 37
Authorities - Rec 6.6A - Authorities and key suppliers and special interest groups.
Quality Policy V.5 - 20190102 dated 02 Jan 2019.
List of Legislation and Regulation V2.6 dated Jul 2018.
Risk Management Process 20180921 iQTY Risk Management and Risk Treatment Process
REC 3A Objective Measures Spreadsheet - ALL STDS V3
Chief Executive Officer Report - FTP Overview - Table 1.
Email - HR and Partners Labour Turnover; Attachments - HR2 - Comm4perf.docx
HCPC Performance report dated 20 Mar 2019.
Quality Assurance Department - Audit Committee report dated 05 Mar 2019.
Information Security Department - YAMMER post dated 05 Apr 2019.
Alternative Registrant Numbers Module RF2SW 1st Dec 2019 dated 13 Mar 2019.
Drivers - Number of Registrants - 4.
FTP Improvement Plan - Kellie Green dated 28 Jan 2019.
Quality assurance Reports and Outputs - OMT and SMT actions.
Bimonthly SMT Meeting Minutes - samples dated 25 Sep 2018, 09 & 23 Oct 2018, 6 & 20 Nov 2018 and
4 Dec 2018.

Risk Register - Planning:

Objective Evidence / Discussions/Process Reviewed.

Risks are being categorised into two types as Strategic and Enterprise Risks. Strategic Risks are the ones
which cause potential hazard to the Organisation's strategy and goodwill, as well as trigger further
Enterprise or operational risks which may affect the day to day operations.
A 5X5 Risk management matrix is being exercised with minimum three mitigation plans to counter the
risks.
In addition, ten potential enterprise risks are identified as the Top 10 Key risks and mitigation plans and
control measures are devised to avert / mitigate the risks. Out of these Ten risks three risks are being
categorised as High Risks and rest as Medium.
A Risk Assessment and Risk Treatment plan is in place to handle the High Risks, with contingency plans
and resources in place.
Periodical evaluation of the risk assessments and control measures are being taken by respective
Process owners (Departments) and being monitored by the SMT and OMT.
Suitable and adequate steps are in place to integrate and implement the actions into QMS and to
evaluate these actions.

Effectiveness of the System and Process were reviewed with the following evidences:-

Risk Management Process 20180921 iQTY Risk Management and Risk Treatment Process
Enterprise Risk register and Strategic Risk register
Risk Register and Risk Treatment Plan Ver 20190403 dated Apr 2019.
Risk Assessment and Risk Treatment Plan dated Feb 2019.
Alternative Registrant Numbers Module RF2SW 1st Dec 2019 dated 13 Mar 2019.
Internal Audit Report - Intruder Jan 2019.
Health and Care Professional Council Quality Management Manual 20190310-9001_2015.
HCPC Consolidated Legislation dated 01 Aug 2012.

Audit Committee
4 June 2019
Page 38
Work Environment, Infrastructure and Facilities Management:

Objective Evidence / Discussions/Process Reviewed.

Service Desk Application tool is being used by the organisation in the management of Work
environment, infrastructure and facilities management apart from the employee forum, emails,
telephone calls and verbal complaints.
A streamlined process was visible in accepting, storing the complaints / queries and a daily review of
pending complaints system versus actions taken / completed in place.
Measuring and Monitoring of the key operational processes such as Fire fighting, temperature control,
ventilation etc. are outsourced (ENSYS) and the monitored effectively and periodically.
The last annual contract with ENSYS was signed on 22 Jan 2018 and upon completion of the contract
period, on same rates the outsourcing agency continuing the support operations at HCPC.

Effectiveness of the System and Process were reviewed with the following evidences:-

Interview of Office Services Manager and Facilities Manager.

Service Desk Application Software.
ENSYS Contract dated 22 Jan 2018.

Senior Management Interview:

Objective Evidence / Discussions/Process Reviewed.

The commitment and involvement of the Top Management in establishing a Process driven approach in
achieving the desired outputs of the Quality management system is evident through the Bimonthly SMT
meetings and periodical employee meetings and a transparent communication and policy setup.

Policies pertaining to Change management, Risk planning, Business objectives, Standards, Registrants,
Compliance system, Improvement plans, etc. are well planned from the drafting phase to the end
project phase.

Availability of effective Communication processes and procedures in place is evident through the
transparency and efficiency of the internal and external communication with respective stakeholders.

Evidences to the Top Management’s commitment to the development and implementation of the quality
management system and its continual improvement can be seen through the role of top management in
reviewing and approving the quality policy, quality objectives, bimonthly reviews and ensuring the
availability of resources, overseeing the implementation at all levels and evaluating and revising the
policy and objectives as needed.

Effectiveness of the System and Process were reviewed with the following evidences:-

Interview with Chief Executive and the Executive Director - Policy and External Relations
Risk Management Process 20180921 iQTY Risk Management and Risk Treatment Process.
Bimonthly SMT meetings dated
- 25 Sep 2018
- 09 & 23 Oct 2018.
- 06 & 20 Nov 2018.

Audit Committee
4 June 2019
Page 39
- 04 Dec 2018.
Status Report 20190404 - MP94 - FTP CMS Review
Work plans for fee Changes and Draft Consultation Document - Registration fees
Consultation Principles
Policy Team Manual.

Finance - Procurement (Purchasing and Suppliers):

Objective Evidence / Discussions/Process Reviewed.

Five tier procurement policy is in place and the procurement approvals are governed by the
Procurement Policy and Manual.
Support for resource management was visible through the review of Procurement Policy and procedures
in establishing the protocols, authorisation and roles and responsibilities.

Effectiveness of the System and Process were reviewed with the following evidences:-

Procurement Manual Ver. 1.2 dated Oct 2016.

Procurement Policy Approved on 02 Dec 2015.
Interview of Procurement Officer.

Finance - Transactions:
Objective Evidence / Discussions/Process Reviewed.

Risk assessment and mitigation plans are in place and witnessed through the trial / test platform runs.
Operational processes pertaining to the Fund generation were witnessed through the samples given
below.
Live review system in place along with active feedback mechanism.
An effective internal and external communication system in place to achieve stakeholders confidence
and trust.

Effectiveness of the System and Process were reviewed with the following evidences:-

Interview with Transaction manager.

Finance Transactions Process Flowchart.
World Pay Statements.
Copy of Social Work Transfer - Finance report 2.
Registrant Information Portal - RA4213 (sample).

Finance - Forecasting:
Objective Evidence / Discussions/Process Reviewed.

Six month (April - Sep) and Nine Month (Apr - Dec) Forecasting process in place to cater for the budget
allocation and resources management.
Department well aware of Immediate risks pertaining to the Budget forecasting and Cost management
plans (Transfer of Social Work to SWE - intended financial loss and subscription transfer and

Audit Committee
4 June 2019
Page 40
Communication with Department of Health).
Income - Expenditure gap analysis and Monthly review of Priority planning procedures (KPIs) proves
support for the departments five year Financial budgeting plan.

Effectiveness of the System and Process were reviewed with the following evidences:-

Priority plans PowerPoint slides

Five year Plans - Forecasting and Expenditures
Interview with Interim Head - Financial Accounting.

Projects:
Objective Evidence / Discussions/Process Reviewed.

Project team comprises of Six Project Managers (02 Sr. Project Managers and 04 Project Managers).
Project portfolio cares about the Risk assessment and control measures, resource planning, Business
Objectives, Timeline process, Budget planning, Stakeholder - Management perspective, Project lifecycle,
Change Process Management in the initial planning phase.
Any deviation to the project plan the approving authority is with the SMT and Zero tolerance policy in
practice towards cost and time factors.
A fortnightly review report by respective Project Managers and a monthly review by the Head of Projects
used to streamline the processes and achieve the objective.
Second phase of the project includes the planning and execution cares about the Development cycle,
Structural process at Operational level, Budget forecast vs Actuals, Monthly reviews and reports to
realign the deviations in achieving the Quality management system desired outputs.
Prioritisation of processes and projects in place to achieve stakeholder satisfaction and trust, Key
milestone reviews allow for the resource planning and risk aversion.

Effectiveness of the System and Process were reviewed with the following evidences:-

Interview of Interim Head of Projects.

Project Folder -- Major Projects folder -- Project Management Process - Templates.
Project Initiation Plan V2.mpp
Status Report 20190404 - MP94 - FTP CMS Review
End Project Report - MP 90 Review
Lessons Learned Report _1.0 Final.xlxs

Internal Audit, Corrective Action and Improvement:

Objective Evidence / Discussions/Process Reviewed.

Key processes to be audited are identified and the programme for 2018 was established and completed.
However, the Audit programme for 2019 is not yet finalised and the Head of BPI confirmed that post
completion of the OMT meeting planned in April the programme will be finalised and implemented for all
respective processes.

The Internal Audit Programme for 2018 was found merged with the programme schedule of other third
party audit bodies and this may cause ambiguity in following up the Internal audit programme for
respective departments / processes. This has been identified as an opportunity for improvement (Ref
1763278-201904-I1), that the organisation may in future devise an internal audit programme in
separate, detailing the Auditor, Auditee, Methods and frequency in much clarity to enhance the process.

Audit Committee
4 June 2019
Page 41
Effectiveness of the System and Process were reviewed with the following evidences:-

Internal Audit Programme 2018.

Internal Audit Programme 2019.
Internal Audit reports
- REC MS2 FTP - INV FTP-20180903 dated 03 Sep 2018.
- REC MS2 - Internal Audit Report Education 2019 dated 28 Jan 2019.
- REC MS2 Internal Audit Report HR PARTNERS 2018 dated 08 May 2018.
- REC MS2 Internal Audit Report POSTROOM July 2018 - 2 dated 27 Jul 2019.
FTP Improvement plan - Kellie Green dated 28 Jan 2019.

Finding Certificate
1763278-201904-I1 FS 83074
Reference Reference
Certificate
ISO 9001:2015 Clause 9.2.2
Standard
Category Opportunity for Improvement
Area/process: Internal Audit, Corrective Action and Improvement
An Internal Audit Programme for the organisation can be planned
detailing the Auditor, Auditee, method and Frequency excluding the
third party audit programme schedule. The current programme is of
Details
complex nature combining the schedule of Internal as well as external
audit programmes and lesser clarity in defining the frequency and
method of audit.

Management Review and Improvement:

Objective Evidence / Discussions/Process Reviewed.

Bimonthly Senior Management Team meetings are being carried out with the inputs arising from all
departments respective KPI evaluation results, Internal Audit and third party audit findings, Changes in
environment, Legal / Statutory compliances and other key factors and upon review the SMT decides
upon the resource need, changes to the QMS and finds the opportunities to improvise.

Effectiveness of the System and Process were reviewed with the following evidences:-

Management Review Procedure Combined QA & ISO 20190222.

QA Department Reports and Outputs - OMT and SMT actions.
Bimonthly SMT meetings dated
- 25 Sep 2018
- 09 & 23 Oct 2018.
- 06 & 20 Nov 2018.
- 04 Dec 2018.

Audit Committee
4 June 2019
Page 42
Minor (2) nonconformities arising from this assessment.
Finding Certificate
1763278-201904-N1 FS 83074
Reference Reference
Certificate
ISO 9001:2015 Clause 7.3
Standard
Category Minor
Quality Management System - Policy, Objectives, Changes, Plan to
Area/process:
achieve
Statement of
Lack of awareness of Organisation's Quality Policy and the relevant
non-
Quality Objectives by employee.
conformance:
Awareness

The organization shall ensure that persons doing work under the
organization’s control are aware of:
a) the quality policy;
Clause
b) relevant quality objectives;
requirements
c) their contribution to the effectiveness of the quality management
system, including the benefits of improved performance;
d) the implications of not conforming with the quality management
system requirements.

During Process verification and interaction with Finance department it

Objective
was found the employee was not aware of the Quality Policy and the
evidence
relevant Quality Objectives.
Cause
Correction /
containment
Corrective
action

Audit Committee
4 June 2019
Page 43
Finding Certificate
1763278-201904-N2 FS 83074
Reference Reference
Certificate
ISO 9001:2015 Clause 6.2.1
Standard
Category Minor
Quality Management System - Policy, Objectives, Changes, Plan to
Area/process:
achieve
Statement of
non- Non determining of measurable quality objectives
conformance:
The organization shall establish quality objectives at relevant functions,
levels and processes needed for the quality management system.
The quality objectives shall:
a) be consistent with the quality policy;
b) be measurable;
c) take into account applicable requirements;
Clause d) be relevant to conformity of products and services and to
requirements enhancement of customer satisfaction;
e) be monitored;
f) be communicated;
g) be updated as appropriate.
The organization shall maintain documented information on the quality
objectives.

Upon reviewing the Quality Objectives for the years 2018 and 2019 it
was found that the Quality Objectives for the Human Resources
Objective
department were established without any measurable targets and thus
evidence
affecting the monitoring and evaluation of the performance of those
objectives.
Cause
Correction /
containment
Corrective
action

Audit Committee
4 June 2019
Page 44
Next visit objectives, scope and criteria
The objective of the assessment is to conduct a surveillance assessment and look for positive evidence
to verify that elements of the scope of certification and the requirements of the management standard
are effectively addressed by the organization's management system; that the system is demonstrating
the ability to support the achievement of statutory, regulatory and contractual requirements and the
organization's specified objectives as applicable with regard to the scope of the management standard;
to confirm the ongoing achievement and applicability of the forward strategic plan.

The scope of the assessment is the documented management system with relation to the requirements
of ISO 9001:2015 and the defined assessment plan provided in terms of locations and areas of the
system and organization to be assessed.

Visit Criteria
ISO 9001:2015
Health and Care Professions Council management system documentation

Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation
of the visit by the organization within 30 days of an agreed visit date. It is a condition of registration
that a deputy management representative be nominated. It is expected that the deputy would stand in
should the management representative find themselves unavailable to attend an agreed visit within 30
days of its conduct.

Audit Committee
4 June 2019
Page 45
Next visit plan

Date Auditor Time Area/process Clause

28 /10/2019 Sathish Day 1- Opening Meeting
Seenuvasan 0900h
0930 Quality management system - key controls - see
appendix for full listing*
Scope and Policy
Risk and Opportunities register
Risk Management / Prevention
1230h Lunch
Communications - Media & PR
Communications - Internal Communications
Communications - Events
Registrations - International
Registrations - UK
Registrations - Operations
Day 1 - Interim Meeting
1600h
29 /10/2019 Sathish Day 2 - Opening Meeting
Seenuvasan 0900h
HR/partner validation
Objectives / Performance Monitoring &
Measurement
Internal Audits
Actions / Non-Conformity / Incidents /
Complaints
Management Review
Improvement
1230 Lunch
Supply Chain
Human Resource Management
1500 Report Preparation
Day 2 - Closing Meeting
1600

Audit Committee
4 June 2019
Page 46
Appendix: Your certification structure & ongoing assessment
programme

Scope of certification

FS 83074 (ISO 9001:2015)

The management and operation of The Health and Care Professions Council (HCPC) covering: Statutory
professional self-regulation Reports to the Privy Council.

Assessed location(s)

The audit has been performed at Central Office.

London / FS 83074 (ISO 9001:2015)

Location reference 0047125084-000
Address Health & Care Professions Council
Park House
184-186 Kennington Park Road
London
SE11 4BU
United Kingdom
Visit type Re-certification Audit (SR Opt 1)
Assessment reference 8911309
Assessment dates 09/04/2019
Deviation from audit plan No
Total number of Employees 250
Effective number of 250
Employees
Scope of activities at the site Main certificate scope applies.
Assessment duration 2 day(s)

Audit Committee
4 June 2019
Page 47
Certification assessment programme

Certificate number - FS 83074

Location reference - 0047125084-000

Audit Audit Audit Audit Audit Audit Audit

1 2 3 4 5 6 7
Business Date (mm/yy): 04/19 10/19 05/20 10/20 05/21 10/21 04/22
area/location
Duration 2.0 2.0 2.0 2.0 1.0 2.0 2.0
(days):
Quality management system - key X X X X X X X
controls - see appendix for full listing*
Scope and Policy X X X X X X X
Risk and Opportunities register X X X X X X X
Senior management interview X X X
Communications - Media & PR X
Communications - Publishing X
Communications - Stakeholders X
Work environment and X
infrastructure/facilities management
Communications - Web & Digital X X
Staff Development and Training X
Communications - Internal X X
Communications
Communications - Events X X X
Finance - Procurement (purchasing X
and suppliers)
Finance - Transactions X
Finance - Forecasting X
Education - Quality Assurance X X
Education - Operations X X
Fitness to Practice - Adjudication X
Fitness to Practice - Case Reception & X
Triage
Fitness to Practice - Case Preparation X
& Conclusion
Fitness to Practice - Operations X
Fitness to Practice - Investigations X

Audit Committee
4 June 2019
Page 48
Policy X X X X X X X
HR/partner validation X
Projects X X X
Registrations - International X
Registrations - EMR X
Registrations - UK X
Registrations - CPD X
Registrations - Operations X
Registrations - Quality Assurance X
IT - Infrastructure X X
IT - Service support X X
Secretariat - Information Governance X X
Secretariat - Council Processes inc. X
appointments
Strategic review - using pack of X X
information supplied by BSI
Organisational context X X X X
Leadership and Commitment X X X
Management System Support X X X X X X X
Planning and Resources X X X X
Human Resource Management X
Control of Documents and Records X
Objectives / Performance Monitoring X X X X X X X
& Measurement
Management Review X X X X X X X
Supply Chain X
Internal Audits X X X X X X X
Actions / Non-Conformity / Incidents / X X X X X X X
Complaints
Risk Management / Prevention X X X X X X X
Legal and Other Requirements X X
Improvement X X X X X X X

Audit Committee
4 June 2019
Page 49
Mandatory requirements – Recertification

The Recertification Review Pack has been reviewed prior to the assessment by the Client Manager.

All requirements of the standard have been implemented.

The entirety of scope / processes has been assessed during the current review period.

The certificate structure and location activities have been reviewed.

Based on the recertification process, the management system continues to demonstrate the ability to
support the achievement of statutory, regulatory and contractual requirements.

Technical Expert(s) have not been used in the certification cycle.

Operational processes to be assessed with respect to the Standard do not require the assessment of a
Technical Expert.

Complaints received by BSI

There have been no complaints received by BSI during the certification period.

Strategic review pack summary

No Major Non conformities were found and raised during the previous cycle.
Five minor Non conformities were found and raised during the previous cycle and the Corrective Actions
taken were effective in preventing the recurrence of Non conformities.
Nine Opportunities for Improvement were found during the previous assessment cycle.
Trends and Areas of Concern : In the previous cycle of assessments the NCs and OFIs were raised in
the fields related to the Organisation's ability in assessing the risks and corrective action plans.
However, the organisation has taken corrective actions and placed requisite processes to avoid the
recurrence of such NCs.

Progress in relation to management system objectives.

A Process based approach based on Risk Management and Business continuity plans keeping the needs
and expectations of the interested parties in focus. Commitment of Top Management in planning,
implementing, resource provision and periodical review of the processes that relate to the Management
system objectives is evident through the Bimonthly Senior Management Team meeting reviews.

Leadership, commitment and strategy

Commitment of Top Management in planning, implementing, resource provision and periodical review of
the processes that relate to the Management system objectives is evident through the Bimonthly Senior
Management Team meeting reviews. Monthly Employee Internal Communication meeting of the Chief
Executive and the effective use of HCPC intranet are examples of the Top management's commitment in
achieving the desired outputs pertaining to the Quality Management Objectives.

Audit Committee
4 June 2019
Page 50
Effectiveness of the Management System
The processes planned and implemented for achieving the desired outputs of the Management system
are designed to interact with other processes and able to indicate the bottlenecks for review
management.
The two tier Risk assessment and review system in place at the organisation captures all the internal
and external changes that may pose a threat to the objectives of the Quality Management system
proactively. Frequent evaluations and implementation of change / correction processes in place at all
levels lead to the effectiveness of the management system in achieving continued compliance.

Impartiality review
Previous Assessment cycle
12 visits and six different assessors - Impartiality criteria achieved

Continue with the current total assessment days/cycle.

Justified exclusions / Non applicable clauses

There are no justified exclusions / non applicable clauses of the standard for certificate : FS 83074

Expected outcomes for accredited certification

What accredited certification to ISO 9001 means
ISO 9001:2015 specifies requirements for a quality management system when an organization: needs to
demonstrate its ability to consistently provide products and services that meet customer and applicable
statutory and regulatory requirements; and aims to enhance customer satisfaction through the effective
application of the system, including processes for improvement of the system and the assurance of
conformity to customer and applicable statutory and regulatory requirements.

What accredited certification to ISO 9001 does not mean

1) It is important to recognize that ISO 9001 defines the requirements for an organization’s quality
management system, not for its products and services. Accredited certification to ISO 9001 should
provide confidence in the organization’s ability to “consistently provide product that meets customer and
applicable statutory and regulatory requirements”. It does not necessarily ensure that the organization
will always achieve 100% product conformity, though this should of course be a permanent goal.
2) ISO 9001 accredited certification does not imply that the organization is providing a superior product
or service, or that the product or service itself is certified as meeting the requirements of an ISO (or any
other) standard or specification.

Audit Committee
4 June 2019
Page 51
Definitions of findings:

Nonconformity:
Non-fulfilment of a requirement.

Major nonconformity:
Nonconformity that affects the capability of the management system to achieve the intended results.
Nonconformities could be classified as major in the following circumstances:
• If there is a significant doubt that effective process control is in place, or that products or services
will meet specified requirements;
• A number of minor nonconformities associated with the same requirement or issue could
demonstrate a systemic failure and thus constitute a major nonconformity.

Minor nonconformity:
Nonconformity that does not affect the capability of the management system to achieve the intended
results.

Opportunity for improvement:

It is a statement of fact made by an assessor during an assessment, and substantiated by objective
evidence, referring to a weakness or potential deficiency in a management system which if not improved
may lead to nonconformity in the future. We may provide generic information about industrial best
practices but no specific solution shall be provided as a part of an opportunity for improvement.

How to contact BSI

'Just for Customers' is the website that we are pleased to offer our clients following successful
registration, designed to support you in maximising the benefits of your BSI registration - please go to
www.bsigroup.com/j4c to register. When registering for the first time you will need your client reference
number and your certificate number (47125084/FS 83074).

Should you wish to speak with BSI in relation to your registration, please contact our Customer
Engagement and Planning team:

Customer Services
BSI
Kitemark Court,
Davy Avenue, Knowlhill
Milton Keynes
MK5 8PP

Tel: +44 (0)345 080 9000

Email: [email protected]

Notes

Audit Committee
4 June 2019
Page 52
This report and related documents are prepared for and only for BSI’s client and for no other purpose.
As such, BSI does not accept or assume any responsibility (legal or otherwise) or accept any liability for
or in connection with any other purpose for which the Report may be used, or to any other person to
whom the Report is shown or in to whose hands it may come, and no other persons shall be entitled to
rely on the Report.If you wish to distribute copies of this report external to your organization, then all
pages must be included.

BSI, its staff and agents shall keep confidential all information relating to your organization and shall not
disclose any such information to any third party, except that in the public domain or required by law or
relevant accreditation bodies. BSI staff, agents and accreditation bodies have signed individual
confidentiality undertakings and will only receive confidential information on a 'need to know' basis.

This audit was conducted on-site through document reviews, interviews and observation of activities.
The audit method used was based on sampling the organization’s activities and it was aimed to evaluate
the fulfilment of the audited requirements of the relevant management system standard or other
normative document and confirm the conformity and effectiveness of the management system and its
continued relevance and applicability for the scope of certification.

As this audit was based on a sample of the organization’s activities, the findings reported do not imply
to include all issues within the system.

Regulatory compliance

BSI conditions of contract for this visit require that BSI be informed of all relevant regulatory non-
compliance or incidents that require notification to any regulatory authority. Acceptance of this report
by the client signifies that all such issues have been disclosed as part of the assessment process and
agreement that any such non-compliance or incidents occurring after this visit will be notified to the BSI
client manager as soon as practical after the event.

Audit Committee
4 June 2019
Page 53
 Assessment Report

The Health and Care Professions

Council

Assessment dates 29/04/2019 to 01/05/2019 (Please refer to Appendix for details)

Assessment Location(s) London (000)
Report author Shirley Redwood
Assessment Standard(s) ISO/IEC 27001:2013

PageCommittee
Audit 1 of 29
4 June 2019
Page 54
 Assessment Report.

Table of contents
Executive summary ...................................................................................................................................................... 4
Changes in the organization since last assessment ..................................................................................................... 5
NCR summary graphs ................................................................................................................................................... 5
Your next steps ............................................................................................................................................................. 6
NCR close out process.............................................................................................................................................. 6
Assessment objective, scope and criteria .................................................................................................................... 6
Assessment participants .............................................................................................................................................. 7
Assessment conclusion ................................................................................................................................................ 8
Findings from previous assessments ........................................................................................................................... 9
Findings from this assessment ...................................................................................................................................12
Opening meeting: ..................................................................................................................................................12
Business/ISMS changes and previous findings: 4 Review previous report, confirm status of ISMS and scope
Context of the Organisation, Leadership and Commitment Legal & regulatory compliance: A16: ......................12
Risk management update: 6, 8: .............................................................................................................................13
Improvement cycle: 9, 10 Internal Audit, Corrective Actions, Management Review, Objectives / Performance
Monitoring & Measurement, Planning and Resources: ........................................................................................15
Supplier Relationships A15: ...................................................................................................................................17
Awareness interviews: TEAMS Registrations, Policy & Standards Education Team (security awareness
sampling):...............................................................................................................................................................18
Incident Management: ..........................................................................................................................................19
Operations Security A12: .......................................................................................................................................20
Physical and Environmental Security: ....................................................................................................................21
Human Resource Security, Planning and Resources: ............................................................................................21
Closing meeting :....................................................................................................................................................22
Minor (1) nonconformities arising from this assessment. .........................................................................................23
Next visit objectives, scope and criteria.....................................................................................................................24
Next visit plan .............................................................................................................................................................25
Appendix: Your certification structure & ongoing assessment programme..............................................................26
Scope of certification .............................................................................................................................................26
Assessed location(s) ...............................................................................................................................................26
Certification assessment programme ....................................................................................................................27
Definitions of findings: ...........................................................................................................................................28

PageCommittee
Audit 2 of 29
4 June 2019
Page 55
 Assessment Report.

How to contact BSI.................................................................................................................................................28

Notes ......................................................................................................................................................................29
Regulatory compliance ..........................................................................................................................................29

PageCommittee
Audit 3 of 29
4 June 2019
Page 56
 Assessment Report.

Executive summary
The implementation of ISMS within the team is in line with the strategic direction of the organization
and the requirement of ensuring management of risk and reputation.

Positives noted:

-Minor non-conformities closed

-Objectives, measurements and metrics are well documented
-Software is used in an innovative way to support information security processes
-Regular meetings are held with clear input from senior management
-Robust IT processes in place
-Resources committed to assist with the implementation of ISMS

The intent of the ISMS to comply with the requirements of the ISO 27001:2013 has been demonstrated
throughout the audit. Based on these findings I am pleased to recommend continued certification.

Reference was made to the ISO 27006:2015 Calculator. It is a BSI/UKAS requirement to recalculate the
number of days using the latest ISO 27006:2015 Audit Time Calculator during this assessment.

A 2.5 day CAV audit has been scheduled to commence on the following date:

6th April 2020.

This is appropriate for the risk and complexity of the ISMS aligned with ISO 27006.
Any date changes should be notified to BSI with more than 30 days’ notice, if possible.

I would like to thank HCPC for their assistance and co-operation which enabled the audit to run
smoothly and to schedule.

PageCommittee
Audit 4 of 29
4 June 2019
Page 57
 Assessment Report.

Changes in the organization since last assessment

There is no significant change of the organization structure and key personnel involved in the audited
management system.
No change in relation to the audited organization’s activities, products or services covered by the scope
of certification was identified.
There was no change to the reference or normative documents which is related to the scope of
certification.

NCR summary graphs

Which standard(s) BSI recorded findings against

Where BSI recorded findings

PageCommittee
Audit 5 of 29
4 June 2019
Page 58
 Assessment Report.

Your next steps

NCR close out process

Corrective actions with respect to nonconformities raised at the last assessment have been reviewed
and found to be effectively implemented.
A minor nonconformity requiring attention was identified. This, along with other findings, is contained
within subsequent sections of the report.
A minor nonconformity relates to a single identified lapse, which in itself would not indicate a breakdown
in the management system's ability to effectively control the processes for which it was intended. It is
necessary to investigate the underlying cause of any issue to determine corrective action. The proposed
action will be reviewed for effective implementation at the next assessment.

Please refer to Assessment Conclusion and Recommendation section for the required submission and
the defined timeline.

Assessment objective, scope and criteria

The objective of the assessment was to conduct a surveillance assessment and look for positive
evidence to verify that elements of the scope of certification and the requirements of the management
standard are effectively addressed by the organization's management system; that the system is
demonstrating the ability to support the achievement of statutory, regulatory and contractual
requirements and the organization's specified objectives as applicable with regard to the scope of the
management standard; to confirm the ongoing achievement and applicability of the forward strategic
plan and where applicable to identify potential areas for improvement of the management system.

The scope of the assessment is the documented management system with relation to the requirements
of ISO/IEC 27001:2013 and the defined assessment plan provided in terms of locations and areas of the
system and organization to be assessed.

ISO/IEC 27001:2013
The Health and Care Professions Council management system documentation

PageCommittee
Audit 6 of 29
4 June 2019
Page 59
 Assessment Report.

Assessment participants
Opening Closing Interviewed
Name Position
meeting meeting (processes)
Head of Business
Roy Dunn Process X X X
Improvement
Quality Compliance
Ewan Shears X X
Auditor
Director of Policy
Jacqueline Ladds and External X
Relations
Chief Executive and
Marc Seale X
Registrar
Head of
Richard Houghton X
Registration
IT Support
Rick Welsby X
Manager
Senior Support
Elandre Potgieter X
Analyst
Project Manager
Chanel White and IT Team X
Officer
IT Infrastructure
Andy Sabapathee X
Engineer
Office Services
James Mcmahon X
Manager
Aled Reece Facilities Manger X
Ambia Khatun HR Officer X
Operations Delivery
Resource
Fernando Masuko Department and X
Service Delivery
Coordinator
Head of Policy and
Katherine Timms X
Standards
Matthew Nelson Systems Manager X

PageCommittee
Audit 7 of 29
4 June 2019
Page 60
 Assessment Report.

Assessment conclusion
BSI assessment team

Name Position
Shirley Redwood Team Leader

Assessment conclusion and recommendation

The audit objectives have been achieved and the certificate scope remains appropriate. The audit team
concludes based on the results of this audit that the organization does fulfil the standards and audit
criteria identified within the audit report and it is deemed that the management system continues to
achieve its intended outcomes.

RECOMMENDED - The audited organization can be recommended for continued certification to the
above listed standards, and has been found in general compliance with the audit criteria as stated in the
above-mentioned audit plan.

Use of certification documents, mark / logo or report

The use of the BSI certification documents and mark / logo is effectively controlled.

PageCommittee
Audit 8 of 29
4 June 2019
Page 61
 Assessment Report.

Findings from previous assessments

Finding Certificate
1465092-201704-N3 IS 600771
Reference Reference
Certificate
ISO/IEC 27001:2013 Clause A9.2.5
Standard
Category Minor
Access Control & Cryptography / Communications Security / System
Area/process:
Acquisition, Development and Maintenance: A.9, A.10, A.14
Details: Review of user access rights requirements not conducted regularly
Access rights review for some of the teams were seen to have been
conducted. However, it was noted for example that users with access to
NetReg (a critical system) who had left the HCPC still had active accounts.
This was so because HCPC had failed to conduct access rights review on a
regular basis. Even though the report on users with access to NetReg was
Objective
sent to the system owner a few weeks ago, the risk associated with
evidence:
having leavers with active accounts had not been considered as required.

Documents reviewed:
1. Netregulate Job Roles vs Actions v2.0
2. NetReg users & Roles - March 2017
Cause No process in place
Correction / There was no immediate corrective action taken to carry out an meditate
containment check of access control rights
A list is now sent to all managers listing users and levels of access. The
response back from managers has been slow, and some have not
Corrective responded, which was highlighted in an internal audit by IT Governance.
action
This has now been reviewed as part of the audit process. See operations
security findings.
Closed?: Yes

Finding Certificate
1630565-201805-N1 IS 600771
Reference Reference
Certificate
ISO/IEC 27001:2013 Clause 7.5.2
Standard
Category Minor
Area/process: ISMS policy and procedures, internal audits, corrective action. 5, 7, 9,10
Documents appearing in the live ISMS on the organization's intranet were
Details: viewed as being in draft format having not received formal approval from
the Executive Leadership Team
Objective
evidence: A number of documents within the ISMS on the intranet were noted to be

PageCommittee
Audit 9 of 29
4 June 2019
Page 62
 Assessment Report.

in Draft format and had not been formally approved by the Executive
Management Team. This is contrary to the organisations ISMS manual
and was agreed with the guide.
Rapid change management left updated document reflecting new
Cause organisation structure in the draft status and meeting not schedule before
the audit
Correction / Permission sought for CEO to make all ISMS documents final rather then
containment draft upload to isms platform
Corrective Add clause to doc A4 management system process to allow email sign off
action changes by chief exec if SMT are not scheduled to meet
Closed?: Yes

Finding Certificate
1630565-201805-N2 IS 600771
Reference Reference
Certificate
ISO/IEC 27001:2013 Clause 10.1
Standard
Category Minor
Area/process: ISMS policy and procedures, internal audits, corrective action. 5, 7, 9,10
Non conformities raised at internal and external audits have not effectively
Details: had the root cause determined to see if further nonconformities exist or
the effectiveness of the corrective actions analysed.
Improvement Log Entries 417 and 516 are interlinked and are showing as
Objective being closed. Neither entry has a root cause assigned. A check to see if
evidence: this nonconformity is occurring elsewhere and the review of effectiveness
has not taken place.
Cause Incomplete data recorded in the improvement log
Correction /
Update improvement log
containment
Sampled:IIR15.2019 root cause has been applied to the improvement log
process
Corrective
Long term improvement - potentially put validation into spreadsheet so
action
improvement log cannot be close unless closure date and root cause cells
are populated
Closed?: Yes

Finding Certificate
1630565-201805-N3 IS 600771
Reference Reference
Certificate
ISO/IEC 27001:2013 Clause 7.5.3
Standard
Category Minor
Area/process: Physical & Environmental Security A.11
Details: The control of incoming and outgoing mail was not effectively controlled.

Page Committee
Audit 10 of 29
4 June 2019
Page 63
 Assessment Report.

It was observed that open outgoing mail bags, containing mail, were left
in the main reception area. This did not offer adequate protection of theft
of mail from either an insider or visitor to the building. It was further
noted that incoming mail was stacked on the reception desk being
Objective
scanned upon receipt. Whilst the mail was not opened at this point there
evidence:
was little protection offered against the potential of theft from an internal
or external source. This was agreed with the facilities team guide.
Sampled incident IIR19.2018 is evidence that mail can be lost in the
reception area.
Cause Lack of secure postal storage in reception area. poor risk assessment
Correction / Move mail bags to safe low access storage area (post room)
containment
Mail bags will be stored and processed in the post room scanning
Corrective
equipment to be moved to new post room or facilities.
action
Evidenced during physical security tour controlled access
Closed?: Yes

Page Committee
Audit 11 of 29
4 June 2019
Page 64
 Assessment Report.

Findings from this assessment

Opening meeting:
The opening meeting was conducted and arrangements for this visit were confirmed satisfactorily with
representatives present. This included confirmation of the visit plan, employee numbers in scope,
confidentiality, H&S, BSI standard process audit approach (open questions, sampling, recording,
nonconformity definition), and visit purchase order reference (provided).

Business/ISMS changes and previous findings: 4 Review previous

report, confirm status of ISMS and scope
Context of the Organisation, Leadership and Commitment Legal &
regulatory compliance: A16:
Business/ISMS changes: The following update was provided
- Health & Care Professions Council HCPC is a regulatory body established by UK Statutory Instrument,
which regulates standards of education, training conduct and performance for the health and care
professions

The main objective is to safeguard the health and well-being of persons using or needing the services or
registrants. HCPC also investigates complaints from the public against registrants and holding Fitness to
Practice hearings.

Previous findings:
The previous BSI audit report was reviewed, and it was possible to close out the 4 Minor
Nonconformities during this visit.

Staff - using lotus notes access to SharePoint /Flex to share information security processes and
documentation.

Evidence:
Information Security Policy 14.01.2019 v1.6a
Organisation of the ISMS 27.03.2019
Information Classification and Handling Policy 27.03.2019 v1.7
Mobiles Systems Policy 27.03.2019 v2.3
Asset Management 27.03.2019 v1.6
Disposal of Media 29.03.2019 v1.0
Access Control Policy 27.03.2019 v2.1
Cryptography Policy 27.03.2019 v1.7
Working in Secure areas -server room v1.4
Physical and Environmental Security 04.02.2019 v1.8 (draft)

Objectives sampled
- 85% employees receive security awareness training annually
- FTP system uptime target 98.45% 10 days x5 day periods
- Audits time - 95% first draft completed
- 85% non-conformities closed by agreed date

Strategy
SMT Meeting 26.03.2019

Page Committee
Audit 12 of 29
4 June 2019
Page 65
 Assessment Report.

OMT
Feeds into the management review held at least once a month

Director of IT and resources

Director of policy and external relations
OMT

Email group on Information Security sent by the Head of Governance

Roles and responsibilities outlined
Organisation of the ISMS 27.03.2019

Context of the organisation - HCPC has Service users suppliers and other stakeholders outlined within
the interested parties table.

Requirement of the interested party relevant to the ISMS

Sampled:
-Members of the Public
-Applicants & Registrants
-Regulatory bodies
-Professional Service suppliers
-Local Authority
-Internet Connectivity

Roles and responsibilities outlined:

Legislation that is applicable to the HCPC - reviewed annually date of last review 07.2018
Evidence:
-Health and Social Work Professions Order
-Data Protection Act (GDPR)
-Computer Misuse Act
-Copyright Act
-Wee regulations

Processes effective.

Risk management update: 6, 8:

Processes reviewed

Risk Treatment Plan v20194003 - key business risks areas

Risk Management process20180921iQTY
Risk Management 27.03.2019 v1.7
Methodology
Risk impact assigned a value score between 1 and 5 which represents the impact to HCPC
Impact is considered in three categories :
-public protection
-financial and
-reputation
Threats assigned a score according to likelihood of occurrence
Mitigation is to treat the plan within the standard
Other sources may be selected or in house controls created

Page Committee
Audit 13 of 29
4 June 2019
Page 66
 Assessment Report.

The Statement of Applicability was sampled with the following justified exclusions:
The management of operation of the Health & Care Professions Council (HCPC) covering statutory
professional self-regulation, and reports to the Privy Council. This is in accordance with the Statement of
Applicability version SoA v1.8 dated 16.03.2019.
Exclusions:
14.2.2
14.2.6
14.2.8

Evidence:
Risk Managements Process Audit Committee Website - 23rd April 2019

Sample:
Item Enclosure 5 enterprise risk register

Reference Risk Treatment Plan v 20190403ADTSTRATrisktreatmentplan April 2019

Overview of Risk Treatment Plan - Methodology

Throughout the year risks are continually monitored and assessed by risk owners

Top 10 risks highlighted

Loss of ISO 27001:2013 Certification
Risk owner provided
Impact x likelihood 5x4
Risk Impact score 20
Mitigation 1 culture procedures report errors training and awareness as required
Mitigation 2 standard operation procedures and prevention of overwriting systems
Mitigation 3 preventive maintenance and reporting system version tracking
Risk score after mitigation - medium

Loss of info from HCPC's electronic database due to inappropriate removal by an employee
Risk Impact score 15
Impact x likelihood 5x3
Mitigation 1 access is restricted to only the data that is necessary for the performance of the services’
employment contract including data protection and confidentiality agreement
Mitigation 2 access control procedures maintained, system audit trails, training where appropriate
Mitigation 3 laptop encryption remote access when using VPN doc file encryption procedure maintained
27001 standard

Loss of registrant personal data by the registration system (Netregulate) impacts the applicant support
provider in the performance of their support services
Impact x likelihood 5x3
Risk Impact score 15
Mitigation 1 access to and export of personal data is restricted to only that which is necessary for the
performance of the services
Mitigation 2 effective system process including secure data transfer and remote access granted only on
application and through secure methods
Mitigation 3 data processor side letter specifying obligation and granting a limited indemnity

Summary of strategic risks

Page Committee
Audit 14 of 29
4 June 2019
Page 67
 Assessment Report.

Evidence: every six months changes and additions to risks are updated

Evidence High level info asset register - Rec 2a 20190226 riskinfoassets

Core hr - ISO 27001 certified
Classification - highly confidential

Processes deemed effective.

Improvement cycle: 9, 10 Internal Audit, Corrective Actions,

Management Review, Objectives / Performance Monitoring &
Measurement, Planning and Resources:
Processes reviewed

Evidence:
HCPC DOC A1 ISMS Manual 27.03.2019 v2.1
Information Security Policy 14.01.2019 v1.6a
Organisation of the ISMS 27.03.2019
Information classification and handling Policy 27.03.2019 v1.7
Effective Measures Objective Measures 27.03.2019 v1.6 ISO 27001

Management review 26.03.2019

Evidence:
Information classification and handling policy
Effective Measures Objective Measures sampled

Progress against IS objectives/KPIs:

- 85% employees receive security awareness training annually
- FTP system uptime target 98.45% 10 days x5 day periods
- Audits time 95% first draft completed
- 85% non-conformities closed by agreed date

Information Security course completed by 232 staff - 88.89%

(90.04% as of 29.04.2019)
Incomplete 4.98
Not started 6.13

External/internal audit schedule in place:

Evidence:
Audit Schedule 2019 - sampled

REC MS2 internal audit report ServicePoint City2018

Internal audits: 18.01.2019

Legislation followed A18
OFI - 1

21.09.2018 - DR Business Continuity management - Daisy in Wapping

2 OFI
IT Service Manager and IT infrastructure Manager

Page Committee
Audit 15 of 29
4 June 2019
Page 68
 Assessment Report.

Evidence IT Governance - 25.03.2019

Clauses - 4,6.1 3,7.5.3
Annex A - 5.1.2 8, 9, 11.2.5, 12, 13, 14.2.8, 18.1.1
NC - 5
OFI - 4
Management commitment to ISMS not forthcoming MN raised

Corrective actions:
Evidence
Improvement Log - reviewed within SMT
#2018 10 22 NMR71 - Office break in
SMT - 20.01.2018 addressed within the meeting
Incident overview
Lessons learnt - increased security has now been put in place
Trends identified
Root cause identified
-human error
-equipment failure

Sample:
#IRR 2019 - theft of equipment
#2019011ADTSTRATrisktreament 01.2019 - Hard Brexit - storage of data within the UK - repatriation of
data

Evidence:
Bi-monthly Senior Management Team meeting 20.11.2018

Sample
Item 11. NMR71
-security enhancements
-corrective actions required quickly to discourage repeat attempts

20.11.2018
Information Technology Report - no mention of objectives made in relation to metric measurements

14.01.2019
Information Technology Report

Resource Planning and Competence

The Business Improvement staff, with ISMS responsibilities, have demonstrated the following
experience
Sampled:

- ISO27001:2013 transition certificate

- Practitioner in Information Security
- Certificate in Information Security Management Principles
- ISO27001:2013 Internal Auditor Staff have IS considerations logged as part of their individual CPD
plans for 2018-19
- Risk Management
- Attendance at Certified CISO course

Page Committee
Audit 16 of 29
4 June 2019
Page 69
 Assessment Report.

- QA Diploma for New Starters

A minor non conformity has been raised in relation to management review

Supplier Relationships A15:

Supplier processes reviewed

Evidence:
- Supplier Relationships 27.03.2019 v2.5
- Procurement Policy

Sample
- Supplier information security evaluation - this must be completed for all new proposed contracts where
the supplier will handle HCPC information as part of the service.
- Invitation to tender specifies that tenderers must be ISO 27001 certified or equivalent or actively
working towards certification

- A risk table is included against the levels, and types, of data held by the supplier giving a risk profile of
High to Very Low
- A full list of data protection and information security clauses are included in the above document for
inclusion in contracts for data held/sampled

This may not be used if the supplier included confidentiality clauses in their offering of service. These
clauses are reviewed by the organization's legal counsel
- A full list of suppliers was viewed within a maintained database

Evidence:
Daisy IT Continuity and Resilience Services Limited and HCPC - signed 27.04.2017 reference made to:
Data Protection clause 6
Confidentiality clause 10
Intellectual Property Rights clause 11
Data processing addendum - updated 24.05.2018

Sample
Shadow Planner User Group - meeting minutes
-user group contact list
-relationship manager emails 17.01.2019
-incidents raised - INC.0333024

Single Source Request - Authorisation of Non-competitive transaction

Processes deemed effective.

Page Committee
Audit 17 of 29
4 June 2019
Page 70
 Assessment Report.

Awareness interviews:
TEAMS Registrations, Policy & Standards Education Team (security
awareness sampling):
Evidence:
Information Security staff awareness processes reviewed

ISMS Staff Training

Sample
-Interactive training

LMS
-GDPR
-Information Security
-Personal Safety Online training approximately takes 30 minutes to complete
-Sample: 24.03.2019 date of completion

Competence, Training and Awareness processes reviewed

Evidence:
Training record sampled:
Awareness Training 19.02.2019

Polices disseminated in a pack. Must be read, agreed to and acknowledged as part of the induction
process

In the instance of information security, it is evident that all staff have received effective training in line
with staff awareness requirements.

This clearly falls in line with the implementation of Information Security and staff members are aware of
the policies, as evidenced in interviews.

Staff members are aware of the location of relevant policies and have access to this information using
HCPC intranet. This is currently in transition to SharePoint and should be in place by the end of Q2.

Staff ensure the confidentiality, integrity and availability of documents they are working on and are
mindful of their surroundings, specifically when working with other colleagues and sensitive data.

Shredders and confidential waste bins are made available and utilised by all staff. Secure printing is in
operation.

Personal data is treated in line with Information Security and GDPR requirements.

Access to systems are password controlled for all users with the necessary segregated areas applied.
Access to patient details allocated on a need to know basis.

Staff are fully aware of who they need to contact in the case of a security incidents and are confident
challenging their colleagues when necessary, e.g. unlocked screens, unescorted visitors.

Staff members are encouraged to report IS incidents using [email protected]

Processes effective.

Page Committee
Audit 18 of 29
4 June 2019
Page 71
 Assessment Report.

Incident Management:
Incident management processes reviewed

Evidence:
Incident Management 27.03.2019
Incident Response Plan 27.05.2018
Information incident rating process 27.03.2019 v1.4 outlines the procedure for reporting security
incidents

Report security incidents to: [email protected]

Incident Response Plan 27.05.2018

How to recognise a security incident roles and responsibility

Incident response plan steps sampled:

-report
-investigate
-make sure no one can access or alter compromised systems

Specific incident response types

-malware
-unauthorised wireless access points
-loss of equipment

Information incident rating process 27.03.2019 v1.4

Sampled:

IIR2.2019 - 16.01.2019
Logged 22.01.2019
Hearing team manager - sent copy of private decision to another registrant
RC - human error - emailed wrong registrant and requested delete email - staff reminded of awareness
Risk rating 5.8

IIR tool rating sampled

-type of data
-impact
-recovery
-number of subject impacted incident rating

IIR 6.2019 66073 19.02.2019

Basic case information sent to wrong email address
Human error where the same email domain is used for multiple contact. A table of patient employee
trust should be constructed to map each individual to avoid confusion
RC - poor labelling of email address
Risk rating 8.3

Processes deemed effective.

Page Committee
Audit 19 of 29
4 June 2019
Page 72
 Assessment Report.

Operations Security A12:

Processes reviewed

Change Management
- Weekly CAB is place
- CAB 01.04.2019
- Master change list is maintained

Sampled Changes Evidence:

RFC20190071
Title of Change Red Box Recorder Upgrade (TEL04) 27.04.2019

Weekly IT Team meeting

IT Agenda 05.04.2019
-major projects
-service desk tickets
-windows 10
-SharePoint

Protection from Malware - Symantec Endpoint Protection

Information Transfer
- Bitlocker deployed on laptops and desktops
- Data is encrypted prior to transfer - USBs are encrypted prior to any transfer
- Personal external USBs are not whitelisted for internal data transfer
- Transfer mechanisms are covered in ISMS DOCA10
- Exchange in O365 is covered with Advanced Threat Protection for incoming mail

- Weekly capacity report is produced for weekly internal IT meeting

Evidence:
IT Department Induction 2019

Sampled:
Audit of user networks access - 15.04.2019 email

Backup
- Backup policy v1.2 dated 27.03.2019 was viewed
- Back up to on premise and Cloud based environment
- Backups are encrypted at DB level
- Data is backed up incrementally

Logging and Monitoring

- Logs are retained in TripWire on RAID 5
- System Logs are reviewed monthly following the patching cycle by IT
- 5 months of logs are retained before being overwritten

Processes deemed effective.

Page Committee
Audit 20 of 29
4 June 2019
Page 73
 Assessment Report.

Physical and Environmental Security:

Physical security processes and documentation reviewed

Evidence:
Physical and Environmental Security 04.02.2019
Perimeter will be protected with maglocks and mechanical keys for main exterior doors with intruder
alarms also. Windows protected by internal and external bars
CCTV - monitored

Evidence of implementation: A site tour took place and the following controls were seen in place:

- Building manned Mon-Fri 07.00-21:00hrs

- Building secured by key card managed internally - Paxton Net 2 system
- Fire equipment, including extinguishers, maintained by third party suppliers
- Fixed internal CCTV surveillance at entry points
- Access to comms room restricted - requires swipe card and pin code
- Visitors pass is issued for basic access to the building
- Visitors must report to reception desk and are provided with yellow lanyard holder
- Blue/Maroon - employees
- Green - contractors
- A valid key card is required to gain access to office space - magnetic lock system in place
- Reviewed regularly as part of access control process
- Lockable confidential waste bins are made available for staff use throughout building
- Secure printing in operation
- Clear desks and screen policy seen to be in place
- Lockable pedal stools made available to all staff
- To enhance security processes, planned installation of a roller shutter - scheduled for 02.05.2019

Certificates of destruction sampled:

Restore Datashred - #2376660754 - 23.04.2019 disposal of confidential waste
SLA/KPI level of service Apollo Cleaning ltd - currently under review.

Processes deemed effective.

Human Resource Security, Planning and Resources:

Processes reviewed

Evidence:
HR Security Policy 27.03.2019 v1.6

Vetting - internal process

- DBS checks applied to IT, FTP, Finance
- Starter Checklist used to ensure that the process, including key policies, has been followed
- Right to work checks carried out and documents observed, minimum of two references
- Signed contract of employment
- Confidentiality clause 14
- Data Protection clause 18
- Signed data handling guidance document
- Signed Email guidance document
- Signed IT policy document including confidentiality of data, access control, security, passwords,

Page Committee
Audit 21 of 29
4 June 2019
Page 74
 Assessment Report.

monitoring and unacceptable behaviour

- Induction Training commencing within one week of employment

Sampled New Starter process

- RA - XXXXX - 14.12.2018
- AS - XXXXX - 26.08.2018
- AR - XXXXX - 26.02.2019

- Transfer is maintained via the core HR system

- Role amended
- New contract assigned
- Receiving Line manager raises an internal IT request for access
changes
Leavers records sampled:
-SA 29.03.2019

The following was observed respectively

- Leaver process has been followed.
- Resignation acceptance letters sampled and confirmed
- Reminder of continued obligations sent
- Exit interview sampled (optional)
- Confirmation that access removed for both staff members

Processes effective.

Closing meeting:
The closing meeting was conducted and the report findings summarised satisfactorily to those present.
No comments on the report were received. The BSI standard approach including confidentiality, nature
of sampling, appeals process (if required), and any forward actions following this visit were confirmed.
The next visit planning arrangements were reviewed and confirmed.

The client should download the final Audit Report from the BSI Assurance Portal
https://assuranceportal.bsigroup.com/ where any nonconformities that require formal corrective action
plans should also be progressed. Please note that it is now policy that only a PDF copy of the report will
be supplied. If the client management representative has lost credentials to access the Assurance
Portal, then contact should be made with BSI Customer Services (see 'How to contact BSI' below) to
obtain updated credentials.

Page Committee
Audit 22 of 29
4 June 2019
Page 75
 Assessment Report.

Minor (1) nonconformities arising from this assessment.

Finding Certificate
1771238-201904-N1 IS 600771
Reference Reference
Certificate
ISO/IEC 27001:2013 Clause 9.3
Standard
Category Minor
Improvement cycle: 9, 10 Internal Audit, Corrective Actions, Management
Area/process: Review, Objectives / Performance Monitoring & Measurement, Planning
and Resources
Statement of
Not all requirements of the management review process have been
non-
addressed
conformance:

Management review
Top management shall review the organization’s information security
management system at planned intervals to ensure its continuing
suitability, adequacy and effectiveness.
The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the
information security management system;
c) feedback on the information security performance, including trends
in:
Clause 1) nonconformities and corrective actions;
requirements 2) monitoring and measurement results;
3) audit results; and
4) fulfilment of information security objectives;
d) feedback from interested parties;
e) results of risk assessment and status of risk treatment plan; and
f) opportunities for continual improvement.
The outputs of the management review shall include decisions related to
continual improvement opportunities and any needs for changes to the
information security management system.
The organization shall retain documented information as evidence of the
results of management reviews.

The management review failed to take into consideration all the

requirements of the standard.
Objective
Information Technology Report made no mention of objectives in relation
evidence
to metrics and measurements.
No mention of continual improvement or objectives.
Cause
Correction /
containment
Corrective
action

Page Committee
Audit 23 of 29
4 June 2019
Page 76
 Assessment Report.

Next visit objectives, scope and criteria

The objective of the assessment is to conduct a surveillance assessment and look for positive evidence
to verify that elements of the scope of certification and the requirements of the management standard
are effectively addressed by the organization's management system; that the system is demonstrating
the ability to support the achievement of statutory, regulatory and contractual requirements and the
organization's specified objectives as applicable with regard to the scope of the management standard;
to confirm the ongoing achievement and applicability of the forward strategic plan.

The scope of the assessment is the documented management system with relation to the requirements
of ISO/IEC 27001:2013 and the defined assessment plan provided in terms of locations and areas of the
system and organization to be assessed.

ISO/IEC 27001:2013
The Health and Care Professions Council management system documentation
Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation
of the visit by the organization within 30 days of an agreed visit date. It is a condition of registration
that a deputy management representative be nominated. It is expected that the deputy would stand in
should the management representative find themselves unavailable to attend an agreed visit within 30
days of its conduct.

Page Committee
Audit 24 of 29
4 June 2019
Page 77
 Assessment Report.

Next visit plan

Date Auditor Time Area/process Clause

06/04/2020 S Redwood 09:00 Opening Meeting
Context of the Organisation, Scope and Policy 4, 4.3
Objectives / Performance Monitoring & 6.2, 9.1
Measurement
Risk Assessment, Risk Treatment, Statement of 6
Applicability
12:00 Lunch
12:30 Control of Documents and Records 7.5
Compliance: Legal and Other Requirements A18
Internal Audit, Corrective Actions, Management 6, 9.2,
Review 9.3
16:00 Interim Meeting
Date Auditor Time Area/process Clause
07/04/2020 S Redwood 09:00 Follow-up day 2
Access Control & Cryptography A9, A10
Asset Management A8
System Acquisition, Development and A14.1
Maintenance
12:00 Lunch
12:30 Communications Security A13
Business Continuity A17
Policy & Standards (security awareness A7.2.2
sampling)
Education Team (security awareness sampling) A7.2.2
15:30 Registrations (security awareness sampling) A7.2.2
16:00 Report Preparation
Date Auditor Time Area/process Clause
08/04/2020 S Redwood 09:00 Report Writing (0.5 day off site)

13:00 Programme Management

Page Committee
Audit 25 of 29
4 June 2019
Page 78
 Assessment Report.

Appendix: Your certification structure & ongoing assessment

programme

Scope of certification

IS 600771 (ISO/IEC 27001:2013)

The management of operation of the Health & Care Professions Council (HCPC) covering statutory
professional self-regulation, and reports to the Privy Council. This is in accordance with the Statement of
Applicability version SoA v1.8 dated 16/03/2019.

Assessed location(s)

The audit has been performed at Central Office, Permanent Locations.

London / IS 600771 (ISO/IEC 27001:2013)

Location reference 0047125084-000
Address Health & Care Professions Council
Park House
184-186 Kennington Park Road
London
SE11 4BU
United Kingdom
Visit type Continuing assessment (surveillance)
Assessment reference 8914223
Assessment dates 29/04/2019
Deviation from audit plan No
Total number of Employees 250
Total persons doing work at 250
this site
Scope of activities at the site Main certificate scope applies.
Assessment duration 2.5 day(s)

Page Committee
Audit 26 of 29
4 June 2019
Page 79
 Assessment Report.

Certification assessment programme

Certificate number - IS 600771

Location reference - 0047125084-000

Audit1 Audit2 Audit3 Audit4 Audit5

Business Date (mm/yy): 05/18 05/19 04/20 04/21 04/21
area/location
Duration (days): 4.5 3 3 0.5 6
Continuing Assessment X X
Triennial Recertification X X
Context of the Organisation, Scope and Policy X X X X
Leadership and Commitment X X X
Planning and Resources X X X
Human Resource Security X X X
Control of Documents and Records X X X
Objectives / Performance Monitoring & X X X X
Measurement
Internal Audit, Corrective Actions, Management X X X X
Review
Supplier Relationships X X X
Risk Assessment, Risk Treatment, Statement of X X X X
Applicability
Compliance: Legal and Other Requirements X X X
Security Incident Management X X X
Access Control & Cryptography X X X
Physical and Environmental Security X X X
Asset Management X X X
Operations Security X X X
Communications Security X X X
System Acquisition, Development and X X X
Maintenance
Business Continuity X X X
Registrations (Awareness Sampling) X X X
Fitness to Practise (Awareness Sampling) X X X
Policy & Standards (security awareness X X X
sampling)
Education Team (security awareness sampling) X X X

Page Committee
Audit 27 of 29
4 June 2019
Page 80
 Assessment Report.

Finance Team (security awareness sampling) X X X

Communications Team (security awareness X X X
sampling)
Project Management Team (security X X X
awareness sampling)
Programme Management X X X

Definitions of findings:

Nonconformity:
Non-fulfilment of a requirement.

Major nonconformity:
Nonconformity that affects the capability of the management system to achieve the intended results.
Nonconformities could be classified as major in the following circumstances:
• If there is a significant doubt that effective process control is in place, or that products or services
will meet specified requirements;
• A number of minor nonconformities associated with the same requirement or issue could
demonstrate a systemic failure and thus constitute a major nonconformity.

Minor nonconformity:
Nonconformity that does not affect the capability of the management system to achieve the intended
results.

Opportunity for improvement:

It is a statement of fact made by an assessor during an assessment, and substantiated by objective
evidence, referring to a weakness or potential deficiency in a management system which if not improved
may lead to nonconformity in the future. We may provide generic information about industrial best
practices but no specific solution shall be provided as a part of an opportunity for improvement.

How to contact BSI

'Just for Customers' is the website that we are pleased to offer our clients following successful
registration, designed to support you in maximising the benefits of your BSI registration - please go to
www.bsigroup.com/j4c to register. When registering for the first time you will need your client reference
number and your certificate number (47125084/IS 600771).

Should you wish to speak with BSI in relation to your registration, please contact our Customer
Engagement and Planning team:

Customer Services
BSI
Kitemark Court,

Page Committee
Audit 28 of 29
4 June 2019
Page 81
 Assessment Report.

Davy Avenue, Knowlhill

Milton Keynes
MK5 8PP

Tel: +44 (0)345 080 9000

Email: [email protected]

Notes

This report and related documents are prepared for and only for BSI’s client and for no other purpose.
As such, BSI does not accept or assume any responsibility (legal or otherwise) or accept any liability for
or in connection with any other purpose for which the Report may be used, or to any other person to
whom the Report is shown or in to whose hands it may come, and no other persons shall be entitled to
rely on the Report.If you wish to distribute copies of this report external to your organization, then all
pages must be included.

BSI, its staff and agents shall keep confidential all information relating to your organization and shall not
disclose any such information to any third party, except that in the public domain or required by law or
relevant accreditation bodies. BSI staff, agents and accreditation bodies have signed individual
confidentiality undertakings and will only receive confidential information on a 'need to know' basis.

This audit was conducted on-site through document reviews, interviews and observation of activities.
The audit method used was based on sampling the organization’s activities and it was aimed to evaluate
the fulfilment of the audited requirements of the relevant management system standard or other
normative document and confirm the conformity and effectiveness of the management system and its
continued relevance and applicability for the scope of certification.

As this audit was based on a sample of the organization’s activities, the findings reported do not imply
to include all issues within the system.

Regulatory compliance

BSI conditions of contract for this visit require that BSI be informed of all relevant regulatory non-
compliance or incidents that require notification to any regulatory authority. Acceptance of this report
by the client signifies that all such issues have been disclosed as part of the assessment process and
agreement that any such non-compliance or incidents occurring after this visit will be notified to the BSI
client manager as soon as practical after the event.

Page Committee
Audit 29 of 29
4 June 2019
Page 82