4. • Innovators: Continuous development to better support our customers
• Experienced: We’ve been adding value for over 35 years
• We deliver: Our customers stay with us 95%+ retention rates
Alcumus – a true market leader
4
5000+ customers and 30% of FTSE 100
• Have confidence in working with Alcumus
The market-leading provider of technology-
enabled compliance risk management and
certification services
5. Alcumus ISOQAR – key stats
6th position in
the UK
certification
market
Fastest –
growing UK
certification
body
Deliver more
than 10,000
audit days per
year
£8.2M
Revenue
Auditing
against more
than 25
generic and
sector specific
standards
35%
contribution to
overall Alcumus
revenues
Network of
300+ IAN
consultants
Overseas network of 7
Critical locations
servicing 2500
international clients
13% y-o-y
growth
55 Auditors, 36
Contractors 35 –
strong office
based team
6. • Extensive range of solutions and services
Alcumus overview
6
COSHH
Software
Training
Certification
HR
Health &
Safety
Contractor
Verification
Leading compliance software
• Used by 30% of FTSE 100 companies
Leading UKAS Certification body
• The fastest growing in the UK (60+ auditors)
A clear leader in H&S management
• Nationwide coverage (60+ consultants)
• No. 1 for COSHH solutions (20+ specialists)
Leading Property compliance
• Most leading managing agents use us
Leading HR solutions provider
• Delivering services for over 30 years
Leading Training provider (IRCA, IOSH, NEBOSH)
7. • Some of our customers
Alcumus overview
7
Construction
Manufacturing
Engineering
Oil & Gas Healthcare
Retail /
Property
Public Sector
Transport &
logistics
9. Our References
ISOQAR India references :
• Emerson
• Knight Frank
• SBI
• Getronics
• SERCO
• Intelenet
• Sparsh
• JW Thompson
• HITACHI
• France Telecom- Orange
• ISS
• Sanofi Aventis
• Prometric
• R Systems International/ Indus
• SunTec
• ARANCA
• ZENSAR
• Reliance Industries
• Phizer
• Toyo
• Alexander Mann
• Diaggio
• Heniken
• Ministry of National Guard Health
Affairs - KSA
• Al Qassim Municipality
• Al Imam University - KSA
• UAE Exchange
• Qatar University
• Banque Saudi Franci
• Cloud Pay
• Getronics
10. ISOQAR is part of the Alcumus Group, a
multi-discipline provider of risk
management, compliance and certification
services, operating throughout the UK and
via a network of operations globally.
11. For over 20 years, we have assisted
thousands of businesses of all
shapes and sizes create competitive
advantage
13. Why choose ISOQAR?
n Technical capability - our expert auditor’s industry experience is matched to your
organisation’s activities, enabling you to get the most out of your assessment.
n The ALCUMUS ISOQAR brand - our reputation for integrity and approachability
means that we offer a consistent and professional service, resulting in a practical and meaningful audit
experience.
n Global reach - besides having auditors located throughout the UK, we also have the
capability to deliver certification audits internationally.
n Rapid response - we specialise in providing audits and answering queries quickly and
efficiently.
“
A simplistic & direct approach to auditing that was appropriate to our industry
3
15. What is PCI (Payment Card Industry)
PCI is a family of data security standards that is intended
to secure processing infrastructure of payment industry.
PCI DSS applies to any entity that processes, stores or
transmits cardholder data
Consistent global standard applies to banks,
merchants, service providers and gateways
PCI DSS applies to CREDIT and DEBIT cards
16. Introduction to PCI DSS
• Joint effort of
VISA International
MasterCard Worldwide
American Express
Discover Financial Services
JCB
• Managed by the PCI SSC on behalf of the Card Brands
(Visa, MasterCard, AMEX, Discover and JCB)
• Current version of standard is 3.1 (April 2015)
• Includes 12 security requirements (approx. 300+ sub-
requirements)
• Grouped into six control objectives.
18. Gap Assessment
PCI DSS gap assessment, depending on the scope and size of the
organization will normally be conducted in 3 days of onsite assessment.
The deliverables of Gap Assessments will include:
Detailed requirement wise gaps identified and
The assessor recommendations in line with PCI requirements.
Time frame: 3 days onsite + 1 week of gap assessment report writing
Resources : 1 QSA + 1 Technical Consultant onsite
Consultant offsite for 4 / 5 days for report writing
QSA 2 days offsite for checking the report before releasing it to the
client
In case of large organizations like banks, service providers, BPOS with
multiple sites/ locations the time frame can vary and so will be the
costing
19. PCI DSS Audit and Certification
Time frame: 3 - 5 days onsite
30 to 60 days of evidence collection
2 to 3 weeks of report writing ( ROC )
1 week of report QA and comments remediation
Resources : 1 QSA + 1 Technical Consultant onsite for 1 week ( 5
days )
QSA 15 – 20 days offsite for checking evidences and writing
the report before releasing it to the QA
QA 3 to 5 days for queries
QSA 3/5 days for remediation of QA comments.
Total time estimated from the date of audit till release of ROC
will be 60 to 90 days depending on the client’s urgency.
In case of large organizations like banks, service providers,
BPOS with multiple sites/ locations the time frame can vary
and so will be the costing
20. Remediation / Implementation Support
In line with the gaps identified and the subsequent recommendations by
the QSA, the ISOQAR technical team will assist the client in remediation
support to become PCI DSS compliant.
Time frame may vary depending on the client’s urgency to get compliant
and the gaps identified i.e. 90 to 180 days.
Resources : 2 Technical Consultants offsite under QSA guidance
In case of large organizations like banks, service providers, BPOS with
multiple sites/ locations the time frame can vary and so will be the
costing
21. Support services
Internal Vulnerability Assessments
• Why required?
• All PCI DSS certified companies will need these
scan reports on a quarterly basis as mandated by
PCI.
• Costing: Depending on the number of devices and
IPs to be scanned
• Resources: 1 Technical Consultant onsite / offsite
depending upon the requirement of the client.
22. Penetration Tests
• Why required?
• All PCI DSS certified companies will need these scan reports on
a yearly basis as mandated by PCI.
• Resources: 1 Technical Consultant onsite / offsite depending
upon the requirement of the client.
23. Annual Review of Policy / Procedures and Risk Assessment
Why required
• All PCI DSS certified companies will need
this Annual Review of Policy / Procedures
and Risk Assessment on a yearly basis as
mandated by PCI.
• Resources: An experienced resources in
ISMS and PCI
24. PCI DSS implementation training
• Depending upon the clients need / as
required experienced consultants will offer
3 days of “PCI DSS Implementation
Training” onsite / offsite.