National Security Inspectorate Sentinel House, 5 Reform Road Maidenhead SL6 8BY Website: nsi.org.uk NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 1 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 Quality Schedule SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval SSQS 101 Issue 9 November 2024 SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 2 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 NSI NACOSS Gold is an approval scheme that combines Quality Management System (QMS) and Product Certification (PC). Compliance with BS EN ISO 9001:2015, the international standard for QMS, is required for any UKAS Accredited Certification. NACOSS Gold approval covers organisations involved in designing, installing, commissioning and maintaining electronic security systems, including intruder & hold-up alarm systems, VSS (CCTV)video surveillance systems, and access control systems. The NACOSS Gold scheme mandates that systems are designed, installed, commissioned and maintained by competent, security-screened personnel in line with manufacturers’ requirements and standards such as BS 7858. This Quality Schedule offers guidance on applying BS EN ISO 9001 in a security environment. Compliance with this schedule and the standard is a condition for NACOSS Gold approval. Issue 9 reflects updates to British and European standards and NSI codes of practice. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 3 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 1 Introduction 1.1 Quality Schedules are designed for sectors of industry and are used to amplify the requirements of the QMS Standard (BS EN ISO 9001) and provide an agreed basis for audit. 1.2 The 2015 standard is based on the quality management principles described in ISO 9000 which are customer focus, leadership, engagement of people, process approach, improvement, evidence-based decision making and relationship management. There is a strong focus on leadership and commitment to the quality management system (see BS EN ISO 9001:2015 Clause 5). The concept of risk-based thinking enables greater flexibility to be applied to the requirements for processes, documented information, and organisational responsibilities. 1.3 BS EN ISO 9001:2015 includes a requirement to maintain documented information required by the Standard and documented information determined to be necessary to ensure the effectiveness of the quality management system (see BS EN ISO 9001:2015 Clause 7.5). Documented information required includes: (1) the scope of the quality management system, (2) information necessary to support the operation of processes, which will require maintained information (documented procedures) and retained information (records), (3) the quality policy and (4) where appropriate organisational knowledge. More detailed information on the structure, terminology and concepts introduced by the new standard can be found in BS EN ISO 9001:2015 Annex A. 1.4 Use of an NSI NACOSS Gold approved company (called “you” or “organisation” in this Quality Schedule) provides a high level of assurance that: a) electronic Security Systems are designed, installed, commissioned, and maintained by technically competent and security-screened personnel, to the appropriate Product Standards (such as PD6662, BS 8243 etc) and contractual service agreements are fulfilled; and b) there is a commitment to customer satisfaction and continual business improvement derived from the implementation of a QMS designed specifically to meet the needs of the Electronic Security Systems industry, such needs having been agreed in consultation with NPCC, insurers, installers, trade associations and professional institutions. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 4 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 1.5 The scope of the organisation’s approval is detailed on the NSI Certificate of Approval and is referenced to the Quality Schedule. 2 Scope 2.1 Compliance with this Quality Schedule is a condition of NSI NACOSS Gold approval. 2.2 This Quality Schedule sets out the criteria for auditing the QMS of organisations engaged in the design, installation, commissioning, and maintenance of Electronic Security Systems, including alarms & hold-up alarm systems. Video surveillance systems VSS (CCTV) and access control and does not in any way diminish the NSI Regulations or the defined scheme criteria. 2.3 The full requirements of BS EN ISO 9001:2015 apply and, additionally, you must adhere to the requirements of this Quality Schedule. 2.4 This Quality Schedule retains the alignment with the main clause numbers of BS EN ISO 9001:2015. Certain requirements are included from the Standard for emphasis and they do not detract from the need for you to comply with all the requirements of the Standard. Where there are no additional requirements, this is stated. 2.5 Requirements of this Quality Schedule you must satisfy are shown in normal text and are further emphasised by the use of “shall” or “must.” Where additional guidance is given, it is reproduced in italics and often further emphasised by the use of “may” or “can” within the text. 3 Definitions In addition to the definitions in BS EN ISO 9000, the following definitions apply: 3.1 Complaint means an expression of dissatisfaction made to an organisation, related to its product or service, or the complaints-handling process itself, where a response or resolution is explicitly or implicitly expected. 3.2 Security screened means having been adjudged suitable for working in the security systems industry, following completion of security screening. See BS 7858 regarding completion of limited security screening, pending completion of full security screening. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 5 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 3.3 Non-NSI security system service provider means a security system service provider that is not an NSI approved company. 3.4 Labour providers, Subcontractors, or Skilled workers means an individual or company external to the organisation that enters into an agreement or contract with the organisation to supply processes, products and/or services. These persons will be referred to as subcontractors throughout this document. This definition applies, irrespective of the contractual arrangements or parties involved, to all individuals performing work for your organisation who are not staff personnel. BS EN ISO 9001 (see clause 8.4) uses the term “external provider” and this includes “subcontractors”. 3.5 Staff personnel means the managing partners of the organisation, the sole proprietor of the organisation or, in the case of a limited company, the directors of the organisation and employees from whose remuneration the organisation deducts Income Tax and National Insurance contributions. 4 Context of the organisation 4.1 Understanding the organisation and its context No additional requirements apply to this clause of BS EN ISO 9001:2015. 4.2 Understanding the needs and expectations of interested parties. No additional requirements apply to this clause of BS EN ISO 9001:2015. 4.3 Determining the scope of the quality management system Whilst there is no requirement in BS EN ISO 9001:2015 to hold a quality manual, there is a requirement to maintain documented information that describes the scope of the QMS. When determining the scope, the following must be considered: a) The internal and external issues affecting the QMS (clause 4.1). Issues to consider are for example, changes in technology, the introduction, or changes to standards, new legislation, and personnel changes. b) The requirements of any relevant interested parties affecting the QMS (clause 4.2). Interested parties may include shareholders, trade bodies, certification bodies, police forces and insurers. and SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 6 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 c) The organisation’s products and services affected by the QMS. plus d) Any justifications where the organisation has determined that requirements of the standard are not applicable to the scope of the QMS (clause 4.3). When determining the scope of the QMS to meet the requirements of BS EN ISO 9001:2015 organisations may omit ANY requirement, which is not applicable to the determined scope of the quality management system and does not affect the organisation’s ability or responsibility to ensure the conformity of its products and services and the enhancement of customer satisfaction. Where an organisation determines that a specific requirement does not apply to the scope of their QMS the justification is to be included within the scope of the QMS. NSI will continue to permit organisations to omit requirements relating to the development aspects of BS EN ISO 9001:2015 Clause 8.3 Design and development of products and services provided the organisation does not undertake these development activities” after the word “services. Where other requirements are not determined to be applicable, these are to be justified within the scope of the QMS. 4.4 Quality management system and its processes No additional requirements apply to this clause of BS EN ISO 9001:2015. 5 Leadership 5.1 Leadership and commitment 5.1.1 General No additional requirements apply to this clause of BS EN ISO 9001:2015. 5.1.2 Customer focus No additional requirements apply to this clause of BS EN ISO 9001:2015. 5.2 Policy 5.2.1 Developing the Quality Policy In addition to the requirements of this clause of BS EN ISO 9001:2015, the Quality Policy must include a commitment to comply with this Quality Schedule, with industry-agreed Codes of Practice and applicable legal and/or statutory requirements. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 7 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 Accredited Certification Bodies (CBs) for any management systems certification must comply with UKAS requirements to withhold or withdraw approval from companies if any breaches of applicable legislation are found. This is reflected in BS EN ISO 9001:2015 where an organisation is required to identify and comply with all relevant statutory requirements applicable to the product(s) and/or service(s) provided (also expressed as legal requirements). NSI, as a United Kingdom Accreditation Service (UKAS) accredited CB, does not recommend approval (or continued approval) to BS EN ISO 9001 if there are known breaches of legal requirements that relate directly to the product or service provided. You must include a commitment in your Quality Policy that it is your intention to comply with applicable legal requirements and periodically to evaluate compliance with the same as an input to management review. Appropriate management must also demonstrate that they are generally aware of the prime legislation that impinges on their area of responsibility and authority. For example, if an operations manager deploying installation engineers was unaware of the health & safety legislation relating to working at height, then it could hardly be argued they are competent to perform their duties. This would not only be an issue in terms of the potential for legal nonconformity but also in terms of compliance with clause 7.2 Competence. 5.2.2 Communicating the quality policy No additional requirements apply to this clause of BS EN ISO 9001:2015. 5.3 Organisational roles, responsibilities, and authorities As detailed within the ISO 9001 Standard, you must define and communicate responsibilities and authorities within your organisation. The size and complexity of an organisation has a bearing on how such responsibilities and authorities are defined. In a large organisation with various departmental interfaces, responsibilities and authorities can be defined through documented job descriptions, a schedule of key personal responsibilities in the quality manual and/or inclusion within the documented procedures. In a very small family run organisation, provided management and staff can demonstrate on interview a common understanding of everyone’s prime responsibilities and authorities, it may not be necessary to have them fully documented. Notwithstanding the above, NACOSS Gold specifically requires certain responsibilities are clearly assigned: SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 8 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 (1) for the nominated designer(s)’ see clause 8.3 Design and development of products and services; (2) for the person(s) who is (are) nominated as being responsible for all aspects of intruder and hold-up alarm system performance (commonly referred to as Systems Performance Executive(s) – see BS 8473); and (3) for the person(s) who is (are) nominated as being responsible for all aspects of BS 7858 Security Screening (Screening controller). There is no requirement to appoint an individual to act as a Quality Management Representative but there remains a need for top management to assign the responsibility and authority for maintaining the quality management system. Whilst this does not prevent the organisation from appointing a subcontracted quality consultant into this role, top management within the organisation should consider the risks associated with managing the appointment in this way and identify the means to mitigate the potential impact. 6 Planning for the quality management system 6.1 Actions to address risks and opportunities No additional requirements apply to this clause of BS EN ISO 9001:2015. 6.2 Quality objectives and planning to achieve them No additional requirements apply to this clause of BS EN ISO 9001:2015. 6.3 Planning of changes No additional requirements apply to this clause of BS EN ISO 9001:2015. However, the following are examples of situations where changes to the quality management system should be considered: • Acquisitions and joint ventures. • Introduction of new technologies. • Organisational restructuring. • Use of subcontractors. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 9 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 7 Support 7.1 Resources 7.1.1 General Whilst you must maintain adequately security screened and competent resources, you may not always be able to provide a complete service using your staff personnel and may have to use subcontractors. Clause 8.4.1 of BS EN ISO 9001:2015 requires you to be able to demonstrate you have established criteria for selection, evaluation, and re-evaluation of suppliers of both product and services including subcontractors. 7.1.2 People A condition of approval under NACOSS Gold is that all personnel (directors and staff and so on) in “relevant employment” (as per the definition in BS 7858) are security screened in accordance with BS 7858. You must not allow any subcontractors in relevant employment to have access to confidential information about a customer, their premises, their property, or any security system until they have been security screened to the latest version of BS 7858. You must not use subcontractors at customer premises until they have been security screened. Where limited security screening of an individual in accordance with BS 7858 has been completed sufficient for commencement of conditional employment, and full security screening is in progress but is not yet completed, such an individual may be treated for the purposes of this Quality Schedule as having been security screened. However, this temporary concession on employment must not extend beyond the limited time period allowed in BS 7858 for completion of full security screening. Where you contract directly with an individual subcontractor you must carry out the security screening in accordance with BS 7858. This does not stop you from using the services of a third-party security screening service or bureau. However, your organisation (to whom the subcontractor is directly contracted) must see and review the security screening documents and form an employment decision. Where you contract with another company or agency to supply you with individuals to work for your organisation as subcontractors, you must ensure security screening is carried out in accordance with BS 7858. In some cases, this will require you to audit the security screening files of the other company or agency to check they comply with BS 7858. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 10 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 7.1.3 Identity cards All customer-facing staff and their representatives must carry an identity card and have clearly defined procedures to recover identity cards from leavers. Identity cards must, as a minimum, include the following information as per PD6662: a) The name, address, and telephone number of the organisation. b) The name of the employee and the employee’s signature. c) The expiry date of the identity card (not more than three years from the date of issue). d) A current photograph of the employee. Depending upon the client base and the type of sites visited, the organisation may also need to consider incorporating additional information on their identity cards, for example, issue numbers. If you permit another company to issue identity cards for subcontractors they are supplying, you must ensure (for example through written agreement with the other company and subsequent audit) that identity cards are properly issued, controlled and withdrawn. 7.1.4 Infrastructure You must ensure the premises you operate from meet the requirements of the NACOSS Gold approval criteria. Where a virtual office is used, the requirements of OP2-085 “Requirements for use of a Virtual Office Environment” must be met. 7.1.5 Environment for the operation of processes No additional requirements apply to this clause of BS EN ISO 9001:2015. However, we draw your attention to the following note in the standard: The environment for the operation of processes can include physical, social, psychological, environmental, and other factors (such as temperature, humidity, ergonomics, and cleanliness). Specific aspects of legislation may apply in some cases and NSI approval will not normally be granted if there are any areas of nonconformity with regard to applicable legislation. 7.1.6 Monitoring and measuring resource You must maintain a register of all instruments and equipment used for measurement, inspection, and testing purposes and, where relevant, you must retain up-to-date records of calibration. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 11 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 Where you engage subcontractors, whether they are directly or indirectly engaged, you must seek assurance that all measuring devices are and remain appropriately calibrated and retain sufficient documented information to evidence this. 7.1.7 Organisational knowledge No additional requirements apply to this clause of BS EN ISO 9001:2015. 7.2 Competence In accordance with clause 7.2 of BS EN ISO 9001:2015, you must determine the necessary competence of persons doing work under your control that affects the performance and effectiveness of the QMS and you must ensure these persons are competent based on appropriate education, training, and experience. Where applicable, you must take actions to enable people to acquire the necessary competence and you must evaluate the effectiveness of the actions taken. You must retain appropriate documented information as evidence of competence. The fact that someone receives training does not guarantee they will be competent in carrying out their duties and therefore there has to be a system for confirming competency. We suggest you should consider a probationary period for all new people and review their competency formally before granting confirmed employment. The objective here is to identify and address any areas where competency is not immediately indicated, and which could indicate a need for further training/development. Thereafter, you should have a process for verifying ongoing competency which could include feedback from internal and external audits, formal staff appraisal/evaluation and so on. You must define and document your processes for determining both initial and ongoing competency and ensure that such processes are subject to periodic internal audits. In determining and being able to demonstrate the availability of the necessary competence within your organisation, a training programme must be established that includes, where relevant: • surveying & risk assessment skills; • design skills; • installation skills; • inspection and test skills (commissioning and handover). • maintenance and service skills. • quality procedures and/or documentation appropriate to business processes. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 12 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 • company standards for quality and in particular control over requirements. • internal auditing skills; and • product-specific training. Training records must be available for review and you must be able to demonstrate the effective operation of the above training programme and provide assurance as to who attended the training. Training records must include evidence to substantiate that staff have the technical capability to work on the equipment or systems used. It is not mandatory for personnel to attend external training courses. However, we recommend that selected personnel should attend such courses if the organisation does not possess the necessary skills in a given area. 7.2.1 Subcontractors You must use subcontractors only as permitted by the scheme approval criteria and NPCC policy document and only where the individuals involved are adequately skilled, experienced, trained, briefed, organised, supervised, and monitored. If you engage one or more subcontractors directly, or you engage an individual or other company to supply subcontractors, you must ensure there are suitable and adequate procedures and controls in place within the QMS to ensure adequate skill, experience, training and so on. You must have written agreements with the subcontractors covering the confidentiality of information, training, and assignment to agreed tasks. You must retain sufficient in-house expertise to verify an acceptable service has been provided and have evidence to show the adequacy of subcontractors’ work is validated periodically. By adequacy, we mean compliance with all the relevant Product Standards and with all your organisation’s procedures and requirements. 7.3 Awareness No additional requirements apply to this clause of BS EN ISO 9001:2015. 7.4 Communication No additional requirements apply to this clause of BS EN ISO 9001:2015. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 13 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 7.5 Documented information 7.5.1 General You must ensure your QMS includes the documented information required by BS EN ISO 9001:2015 and the documented processes/procedures required by relevant technical standards (e.g. BS 8473 requires a documented process for the management of false alarms). 7.5.2 Creating and updating No additional requirements apply to this clause of BS EN ISO 9001:2015. 7.5.3 Control of documented information 7.5.3.1 General Within the general practices of controlling documented information: a) you must make provision to list the issue status of external documents including those called up in the Rules of NACOSS Gold, Police Force Policies (NPCC, Police Scotland and PSNI) and other applicable standards and regulations; b) you must make provision to list the issue status of internal documents pertinent to your QMS, including procedures, process maps and so on; and c) if documented information is held electronically, you must observe the following safeguards and protocols: (1) Where a document includes a customer signature, the document must be held electronically as a facsimile copy, including a facsimile copy of the signature. Alternatively, traceability from a customer signature on a hard copy to an electronically held document will be acceptable. Where documents held electronically require authorisation (for example, customer specification) then issue status must be allocated and access rights controlled by password entry at appropriate levels of authorisation. If you introduce other arrangements, you must demonstrate that the above principles of authorisation and agreement are upheld. It is your responsibility to determine whether specific contractual documents are required legally to be originals. (2) You must have robust and secure backup arrangements and you must keep to these arrangements. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 14 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 (3) You must hold backups of retained information securely (preferably in a fire-resistant container or at a secure off-site location). We draw your attention to the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA). For companies considering or already using cloud computing services, we draw your attention to the Information Commissioner’s Office (ICO) guidance on the use of cloud computing in relation to compliance with the DPA. (4) You must have ready access to all documented information for the purposes of our NACOSS Gold inspections/audits/surveillance visits. 7.5.3.2 Control of retained documents You must include information security policies for the protection of retained information held on portable electronic devices (such as laptops, tablets, and memory sticks) and you must ensure your personnel, including any subcontractors, keep to these policies. For example, devices should be password-protected and/or have their hard drives encrypted. Also, there should be restrictions on leaving devices unattended in vehicles and/or in premises that are not alarmed. 7.5.3.3 Contract information Records in respect of contracts (including survey notes, design, quotations, amendments, system records, commissioning and handover documents and also, as appropriate, maintenance, disconnection, historical and false alarm records) shall be maintained and made readily accessible for the life of the contract plus a minimum of two (2) years, except where permitted otherwise in the relevant Product Standard. 7.5.3.4 Information on the use of subcontractors You must retain detailed and complete information (or copies of such information) relating to all pre-contract visits to customer premises made by subcontractors and all work carried out by them. This information must include all necessary details of the risk assessment and design of a security system and of the security system installation as installed. Where you use (or authorise the use of) subcontractors to visit customer premises at a pre-contract stage, you must keep (or cause to be kept) a detailed log (or other suitable information) sufficient to identify unambiguously by name (or other such detail) each individual who has visited each premises and the date(s) and approximate time(s) of his or her visit(s). SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 15 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 It is sufficient if the detailed log (or other suitable information) is kept by a company working for or under your organisation provided you have access to the log and you review and audit the log for accuracy at least twice a year for its suitability and adequacy. 7.5.3.5 Complaint information You must retain information regarding complaints for the life of the contract plus a minimum of two (2) years and you must ensure this information is readily available to our auditors. 7.5.3.6 Training information See BS EN ISO 9001:2015 clause 7.2 for training information. 7.5.3.7 Security screening information For security screening information, see clause 7.1.2 of this schedule. 8 Operation 8.1 Operational planning and control You must develop processes for the design, installation, commissioning, and maintenance of electronic security systems to take account of the need for the QMS to incorporate all the product and regulatory requirements of the industry. The extent and form of documented information required must take account of the need to provide evidence: a) that contractual obligations are agreed and understood by all parties. b) that system design specifications reflect the level of security required. c) of the competency of staff personnel and subcontractors. d) that components used on installations meet the technical requirements of the industry and relevant standards and/or codes of practice. e) of the processes for design, installation, commissioning and handover and maintenance documentation. f) of adequate planning and monitoring of installation work including project management techniques where appropriate. g) of adequate administrative and technical support to installation personnel on-site; and h) of the appropriate level of on-site supervision, particularly on long-running contracts. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 16 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 Activities for process control must be consistent with the specified installation requirements for security systems. Requirements for intruder and hold-up alarm systems are outlined in BSI PD 6662, BS EN 50131 series, BS EN 50136 series, BS 8243, BS 8473, BS9263 and NCP120. Requirements for VSS (CCTV) are detailed in either NCP 104 or BS 8418 Requirements for access control systems are specified in either NCP 109 Requirements for scaffolding alarm systems are found in NCP 115. 8.2 Requirements for products and services 8.2.1 Customer communications The following requirements apply in addition to the requirements of this clause of BS EN ISO 9001:2015: A specification or system design proposal meeting the requirements of the relevant technical standard or Code of Practice needs to be provided to the client prior to the commencement of installation of the system. 8.2.2 Management of complaints You must deal promptly with all complaints and in an appropriate manner including sending the complainant an acknowledgment that the matter is receiving timely attention. You must have a suitable register of complaints, which must include the date of receipt, complainant details, a summary of the complaint, and a complaint reference number or code. You must register all complaints promptly and then investigate and action them at an appropriate level of seniority. You must find the root causes of complaints so that corrective actions are effective in preventing further occurrences. The decision on the appropriate course of action (or actions) must be documented. When all reasonable steps have been taken to restore confidence, complaints must be closed by entering a date of closure in the complaint register. The complainant must be formally notified of the outcome of the complaint investigation. Complaints must be included in the review of nonconformities (see 9.3.2) and consequently clauses 10.1 and 10.2 of BS EN ISO 9001:2015. We draw your attention to the guidelines in BS ISO 10002:2018 – Quality management – Customer satisfaction – Guidelines for complaints handling in organisations, including guidance for small businesses given in Annex B of BS ISO 10002:2018. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 17 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 BS ISO 10002 defines “complaint” as an “expression of dissatisfaction made to an organisation related to its product or service, or the complaints-handling process itself, where a response or resolution is explicitly or implicitly expected”. Such expressions of dissatisfaction can be made in a number of different ways; for example, in writing, including email, or orally on the telephone. We draw your attention to the guiding principles given in clause 4 of BS ISO 10002:2018 which are recommended for effective handling of complaints: • Commitment (committed to defining and implementing a complaints- handling process). • Capacity (sufficient resource to deal with complaints effectively and efficiently). • Transparency (well publicised information about where, and how, to complain). • Accessibility (easily accessible to all complainants). • Responsiveness (immediate acknowledgement and addressed promptly). • Objectivity (equitable, objective, and unbiased). • Charges (free of charge). • Information integrity (handling of complaints and data collection). • Confidentiality (protected from disclosure except where consented). • Customer-focused approach (open to feedback and commitment to resolve). • Accountability (for and reporting on the organisation’s actions and decisions). • Improvement (permanent objective of the organisation). • Competence (personnel have the necessary competence to handle complaints). • Timeliness (complaints resolved in a timely manner). 8.2.3 Determining the requirements related to products and services The following requirements apply in addition to the requirements of this clause of BS EN ISO 9001:2015. 8.2.3.1 Maintenance contracts You must have a policy as an installer of Electronic Security Systems that each customer entering into a contract for the installation is required also to enter into a maintenance service agreement running for at least one year from the date of installation of the system. The following exceptions are permitted: SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 18 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 a) Where you have on file evidence your customer has declined the offer of a maintenance contract (and the provisions of the relevant NPCC, Police Scotland or PSNI policy on police response to security systems do not apply). b) Where you have evidence, the contract was for installation only. c) Where you install a system for use in connection with your own operations (for example, to supervise premises you occupy). The obligation to carry out maintenance remains. However, the requirement for a formal service agreement is waived. Maintenance must be carried out as if such a contract existed between you as supplier and you as user of the security system. You may terminate a maintenance service agreement (including termination prior to the end of the first year) if any of the following circumstances arise: a) Tenure of the supervised premises changes hands. b) Payment is overdue, your customer having been duly invoiced, and a reminder having been sent containing a warning notice to the effect that non-payment will lead to discontinuation of maintenance service (and normally to disconnection of monitoring also – see below). c) Your customer has applied in writing to be excused from the agreement. d) The maintenance service agreement is transferred with your agreement to another NSI approved company. e) Exceptionally, where your customer has acted unreasonably, made unreasonable demands on your organisation or is guilty of a substantial breach of contract. The provision of monitoring services must be conditional upon the system being and remaining the subject of a maintenance service agreement. Where maintenance service is discontinued (whether due to expiry of the maintenance service agreement or otherwise), you must cease monitoring the system within thirty days of the cessation of maintenance service, having first notified your customer by writing to them at their last known address. In all cases where maintenance service is discontinued, you must inform your customer immediately by writing to them at their last known address. 8.2.3.2 Permission to use subcontractors You must ensure subcontractors are used at customer premises only to the extent that the written contract expressly allows, and then only as permitted in this Quality Schedule. Organisations wanting to use subcontractors may either: (a) specifically tell particular customers that part (or the whole) of their contract may be subcontracted and carried SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 19 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 out by people who are not staff personnel of the organisation, or (b) may include in their usual contract conditions a statement that subcontracting may take place. This Quality Schedule does not restrict an organisation from bringing onto customer premises representatives of the manufacturer or supplier of equipment or components used in a security system for the purpose of advising the organisation or assisting with the resolution of an identified fault or problem, provided that a member of the staff personnel of the organisation always accompanies such representatives. 8.2.3.3 Use of subcontractors at customer premises pre-contract Where a subcontractor visits customer premises before a contract has been entered into (for example, as part of the selling process, and/or to undertake a survey and/or a risk assessment), it is important there must not be any scope for ambiguity or misunderstanding about which company the subcontractor is representing and which company’s services the subcontractor is promoting. The “Group Rules” state that NSI approved companies may not operate in partnership or association with non-NSI security system service providers (except if NSI has allowed a special exemption, which is allowed only in limited special circumstances). The “Group Rules” are intended to safeguard members of the public and to minimise the risk of misunderstandings and complaints. Members of the public who believe that they are dealing with a representative of one or more NSI approved companies are entitled to expect the security system services they receive as a result of their contact with such persons will be in full accord with NSI requirements and will be provided by an NSI approved company. It follows that a representative acting (in relation to the customer) on behalf of one or more NSI approved companies must not at the same time be acting (in relation to the said customer) for any non-NSI security system service provider. During all their dealings with the customer, the subcontractor must work solely on behalf of one or more NSI approved companies and, specifically when they are attending the customer premises, they must not display or promote the security or fire safety products or services of any non-NSI security system service provider. If subcontractors representing your organisation visit customer premises at a pre- contract stage, you must ensure the processes and contract terms are suitable and adequate to ensure the above safeguards and restrictions concerning the use of subcontractors are complied with. 8.2.3.4 Confidentiality declarations Subcontractors having access to confidential information about a customer, their premises, their property or about any security system need to have signed a declaration (which must be held on file by the organisation through whom they are SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 20 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 engaged) in which the subcontractors agrees to be bound by the requirements of confidentiality of your organisation. In this declaration, the subcontractor(s) agree they will not at any time release information about your organisation, or about its clients, to any third party without this having been agreed beforehand, and further agreeing to be bound by this even after the certificate has expired or been cancelled and after they are no longer used by your organisation. 8.2.3.5 Code of ethics regarding selling and pre-contract stages In all cases where your organisation employs or authorises individuals (subcontractors) to visit customer premises at a pre-contract stage, you must develop and adopt a written code of ethics and good practice for visits to customer premises and the selling of security systems. You must also ensure that this code of ethics and good practice is taught to all relevant individuals and is effectively enforced. You must observe and maintain high standards of fairness and integrity, ensuring that no individual engages in misleading, unfair, or pressurised selling techniques. Any instances of reported issues or breaches of the code of ethics must be investigated and addressed promptly. These incidents must be documented, and corrective actions (clause 10.2) must be taken where necessary. Additionally, all such instances and the resulting actions must be reviewed as part of the organisation’s ISO 9001 management reviews (clause 9.3) to ensure ongoing compliance and continual improvement. 8.2.4 Review of requirements related to products and services Associated practices in respect of the agreement for the system design specification are set out in clause 8.3. For guidance, relevant requirements may be found: • in PD 6662, BS EN 50131, BS EN 50136, BS 8473, BS 8243, and BS 9263 (for intruder alarm systems). • in BS 8418 or NCP 104 (for VSS (CCTV) systems). • in NCP 109 (for access control systems); and • in NCP 115 (for scaffolding alarm systems). a) General The identity of the persons allocated responsibility and authority to carry out contract reviews must be clearly defined and communicated within the organisation (clause 5.3 of BS EN ISO 9001:2015 refers). SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 21 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 b) Review Reviews must be undertaken: (i) before submission of any tender or quotation, to confirm the requirements are adequately defined and documented and your organisation has the capability and resources to meet the requirements including any statutory and regulatory requirements; and (ii) after receipt of the customer’s reply to any tender or quotation, or on receipt of the purchase order; to ensure any changes requested by the customer are resolved. There must be evidence, by means such as stamp, signature, or electronic authorisation, of all reviews. You must make clear in appropriate documentation whether or not your organisation accepts oral confirmation of orders and, if so, your policy must require you to send a written statement to the customer stating your understanding of the agreement and confirming that this will be taken as the agreement unless the customer notifies otherwise in writing. c) Amendment to contract On completion of the installation, your processes must ensure all amendments are agreed upon, documented, and authorised by the customer and the requirements of the contract (including, if appropriate, a remote signalling connection and notifications to third parties) are completed. d) Documented information You must retain documented evidence of contract reviews for the life of the contract plus a minimum of two (2) years. Certain contract information may need to be held for a longer period to satisfy HM Revenue and Customs and VAT requirements and so on. e) Customer liaison You must maintain effective customer liaison throughout the life of the contract. Clause 8.2.2 of BS EN ISO 9001:2015 makes it clear that statutory and regulatory requirements shall be determined and a NOTE in the Standard references that supplementary services such as recycling or final disposal are post-delivery activities and must also be considered. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 22 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 With any accredited management system certification, there is increasing recognition that certification ought to give a level of assurance that the approved organisation is aware of relevant legislation and is compliant. The reference to recycling or final disposal is a useful pointer to the increasing raft of environmental legislation that applies to organisations whether or not they choose to implement an Environmental Management System. For example, electronic and electrical equipment can no longer be sent to landfill (the WEEE Regulations apply) and manufacturers of certain types of equipment are obliged to have or participate in a take-back scheme for the old equipment. We should maintain a consolidated list of the legislation you believe is relevant to your organisation (see also clause 7.5.1). 8.2.5 Changes to requirements for products and services No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.3 Design and development of products and services 8.3.1 General We consider the detailed selection, placement and configuration of products and the interconnection to meet the specified requirements for a particular installation is application design rather than development (such as the conceptual design of new products). For this reason, the word ‘development’ has been excluded from the sub-headings of this section on design (and therefore differs in this respect from the corresponding clauses in BS EN ISO 9001). If you subcontract design work you must retain sufficient in-house expertise to verify that all designs, and all subsequent installations, meet the relevant Product Standards. 8.3.2 Design planning In the case of intruder alarms, we draw your attention particularly to DD CLC/TS 50131-7 & BS8243. For VSS (CCTV) NCP104, for Access Control NCP109 and for Scaffold Alarms NCP119. We will consider design planning arrangements differing from those set out in 8.3.2 below (for any organisation wishing to adopt differing arrangements) provided there is evidence the arrangements adopted ensure the provisions of BS EN ISO 9001:2015, this Quality Schedule and the relevant technical and other Standards, Codes of Practice, regulatory requirements and so on are met. Any organisation wishing to adopt alternative arrangements should write to us giving details. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 23 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 1) You must adopt controls to ensure: a) The appropriate stages of system design specification development (viz. design planning, design inputs, design controls, design outputs and design changes; see 8.3 of BS EN ISO 9001:2015) are followed. b) The customer is made aware of and agrees to the limitation (if any) of the demands of the appropriate technical standard and regulatory requirements of other interested parties (e.g. local authority, police, insurers): c) The customer is made aware of and agrees to any other limitations to the design (or to the proposed design) in terms of adequacy of detection/control and warning/signalling capability. d) The requirements of the customer are translated into a system design specification that is appropriate to the premises (or site) where the security system is to be installed and that lists the equipment and components to be supplied, detailing their proposed locations and containing a general indication of their coverage and purpose. e) The system design specification contains within it a Design Statement, which includes information on any limitations to the design in terms of adequacy of detection/control and warning/signalling capability. (Alternatively, the Design Statement may be a separate document, provided it is clearly referenced within the system design specification). f) There is consideration of any variations and amendments in the customer requirements as installation proceeds (or arising from practicalities coming to notice as installation proceeds), and documented agreement of such variations or amendments between the customer and the organisation, in the system design specification, or in properly issued amendments to the system design specification, or in an “as-fitted” system document; and g) Agreed Deviations (agreed by you with the customer, insurer & interested parties, i.e. Police) to the requirements of the relevant standard shall be documented as per the NSI approval criteria. (see NSI NACOSS Gold approval criteria) 2) In discharging your responsibility (see 8.3.2 of BS EN ISO 9001:2015) to define the responsibilities and authorities for design and to manage the interfaces between different groups involved in the design, the following requirements must be met: SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 24 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 a) You must designate one or more suitably competent individual(s) as “nominated designer(s).” b) Each individual designated by you as a nominated designer must be competent to undertake tasks including: i. acting as the focal point for matters of design of the Security System installation. ii. assessing the security factors (for example relating to adequacy of detection/control and warning/signalling capability) influencing the design. iii. being conversant with the products and systems specified and with any significant security limitations inherent in such products and systems. iv. ensuring that the content of quotations and system design specifications is compatible with the requirements of the applicable Product Standards, regulatory standards, and NACOSS Gold Codes of Practice. v. “Signing Off” designs on behalf of the organisation. vi. being conversant with and up to date in respect of new technologies, technical standards, regulatory standards, and national implementation of EU Directives and so on relevant to the design process; and vii. being conversant with installation requirements such that system design specifications are professionally compiled and finalised in a manner which gives clear and unambiguous information to the customer and to the installing technician. c) There should be evidence that nominated designers are willing to seek advice and guidance as required from other companies (such as equipment manufacturers) and organisations, and to develop and to keep up to date their skills by such means as reading security magazines and journals, attending conferences, workshops and CPD (continuous personal development) . d) In all cases, a site survey (preferably at the initial enquiry stage, or at some other stage prior to the issue of a quotation and system design proposal, but always at a stage prior to the actual commencement of installation) must be undertaken by a nominated designer. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 25 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 The final “sign-off” of a system design proposal on behalf of the organisation must not occur until such a site survey has been completed. Clause d) does not apply to new builds on green or brownfield sites. It does apply to retrofitting existing buildings. 8.3.3 Design inputs No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.3.4 Design controls The specification should reference all relevant British Standards, NSI (National Security Inspectorate) Codes of Practice, and applicable Police guidelines, as appropriate to the installation requirements. A formal technical review of the design should have been undertaken by a competent nominated designer to ensure the design satisfies all relevant criteria and complies with applicable standards. 8.3.5 Design outputs In-process inspection and testing (for example, during commissioning), and final inspection and testing (for example, at handover), must be consistent with the requirements of the appropriate standards (for example BS 9263) and with specific contract requirements. 8.3.6 Design changes Following a change in design, the design Specification/As Fitted document should be amended and the customer should receive a copy. Commissioning, testing and handover in accordance with applicable standards – for example (BS 9263, NCP104, NCP109 and NCP119) – will normally fulfil the requirements. 8.4 Control of externally provided products and services. 8.4.1 General In accordance with clause 8.4.1 of BS EN ISO 9001, you must evaluate and select suppliers (including subcontractors and companies who provide subcontractors) based on their ability to supply product or service in accordance with your requirements and the requirements of this Quality Schedule, which includes the requirements of the relevant Product Standards. You must establish criteria for selection, evaluation and re-evaluation of suppliers and retain documented results including any necessary actions arising from evaluation and re-evaluation. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 26 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 8.4.2 Use of subcontractors We recommend, wherever possible, and particularly in relation to preventive and corrective maintenance of intruder and hold-up alarms, that you should set up long- term standing agreements with subcontractors in order to provide continuity of service meeting the requirements of this Quality Schedule. These agreements should not stand in the way of an initial probationary period or early termination clauses which come into play if a party to the agreement fails to perform adequately or is in default. If you enter into contracts to supply the monitoring of intruder and hold-up alarms, including intruder alarms from scaffolding alarm systems, you must use only Alarm Receiving Centres (ARCs) approved by NSI (or other ARCs approved by an independent third-party approvals organisation acceptable to NSI and complying with the requirements of BS EN ISO 9001, NSI Quality Schedule SSQS102 and BS 5979 or BS EN 50518 and BS 9518). If you enter into contracts to supply the monitoring of VSS (CCTV) systems (non- BS 8418), you must use only: • Alarm Receiving Centres (ARCs) approved by NSI for monitoring VSS (CCTV) systems (or other ARCs approved by an independent third-party approvals organisation acceptable to NSI and complying with the requirements of BS EN ISO 9001, NSI Quality Schedule SSQS102 and BS 5979 or BS 9518) or. • VSS (CCTV) control rooms approved by NSI (or other VSS (CCTV) control rooms approved by an independent third-party approvals organisation acceptable to NSI and complying with the requirements of BS EN ISO 9001 and BS 7958). In the case of VSS (CCTV) system installations complying with BS 8418, you must connect them only to monitoring centres that hold NSI ARC Gold approval as Remote Video Response Centres (RVRCs) (or other RVRCs approved by an independent third-party approvals organisation acceptable to NSI and complying with BS EN ISO 9001, NSI Quality Schedule SSQS102 and BS 5979 or BS 9518. 8.4.3 Type and extent of control You can use subcontractors for any part of the service subject to compliance with BS EN ISO 9001 and the requirements of this Quality Schedule, which includes the requirements of the relevant Product Standards (such as PD 6662 / BS EN 50131 / BS EN 50136 for intruder and hold-up alarm systems). You must: a) maintain a register of all subcontractors, which must clearly show the services they can supply. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 27 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 b) clearly record the basis of selection of all subcontractors. c) conclude formal agreements that adequately cover the services to be provided and make it clear services can only be delivered by named individual subcontractors who have been security screened and whose competency is demonstrated. d) audit and monitor subcontractors on the same basis as staff personnel. e) brief subcontractors on the organisation’s policies, processes, work instructions and documented information to be completed to verify completion of assigned tasks or service delivery. f) retain overall responsibility for all subcontracted services even if extensive use is made of subcontractors. g) allow us to have the right to audit the work carried out by subcontractors and interview such subcontractors to confirm their competence. h) retain sufficient in-house expertise, if system design is subcontracted, to enable you to verify the designs are compliant with the relevant Product Standards. If you carry out component and equipment repairs, you must carry out these repairs in accordance with UK Regulations and then only if you are the component manufacturer, the manufacturer’s appointed repair agent, or you have a facility that has been assessed satisfactorily against BS EN ISO 9001 (or an equivalent specification) by a recognised, third-party certification body. 8.4.4 Information for external providers No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.5 Production and service provision 8.5.1 Control of production and service provision 8.5.1.1 Use of subcontractors You must require your subcontractors to allow our auditors to examine and inspect vehicles, office premises, workshops and so on used during subcontract work, and to co-operate in and facilitate such examinations and inspections. You must ensure the tool kits used by subcontractors are adequate for the purpose and are consistent with your requirements. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 28 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 8.5.1.2 Maintenance and service provision We remind you that maintenance and service must be carried out in accordance with published requirements (e.g. for intruder and hold-up alarm systems, PD 6662, DD CLC/TS 50131-7, BS 9263 and relevant parts of NCP 120). You must provide adequate administrative and technical support to service personnel including any subcontractors engaged in maintenance and service). For component and equipment repairs, see 8.4.1 of this Quality Schedule. The following specific requirements apply to maintenance of intruder and hold-up alarm systems: a) Corrective maintenance For intruder and hold-up alarm systems, you must have a process for false alarm management in accordance with BS 8473 (British Standard Code of Practice for False Alarm Management). These processes must be consistent with the provisions of BS 8473 for escalating response; the identification and resolution of troublesome systems including those off Police response; the ongoing performance review by the Systems Performance Executive; and the following requirements: 1) The date and time of receipt of every request for corrective maintenance, together with the date and time of arrival on site and of any necessary action must be documented. This documented information must be kept for at least fifteen (15) months after the event to which it refers, and the customer provided with a copy. 2) Authorisation from the customer for temporary disconnection must be kept for at least three (3) months after reconnection. 3) There must be adequate access to spares at all times. 4) You must audit all technicians’ holdings of spares to ensure continued adequate provision (see BS EN ISO 9001:2015 Clause 9.2). These processes must also include the requirements of the relevant British and European standards and NSI code of practice; for example, (BS9263, NCP120, NCP109 and NCP104). b) Preventive maintenance You must have a process for the planning, scheduling, and implementation of preventive maintenance and also for the review of preventive maintenance performance. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 29 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 We draw your attention to NCP120 and BS9263 for preventative maintenance requirements, and TECHNICAL BULLETIN No: 0068 Information concerning the level of performance in relation to the carrying out of routine (preventive) maintenance visits and Corrective Maintenance visits. c) Use of subcontractors to maintain intruder and hold-up alarms. Where maintenance of intruder and hold-up alarms is subcontracted, the arrangements must be such that the requirements of this Quality Schedule and the industry standards (for example, see BS 9263) are met, as well as all other contractual obligations. It is helpful if the subcontractor is working under a long-term standing agreement with your organisation intended to continue for several years so; for example, absences due to sickness can be adequately covered. In-process inspection and testing (for example, during commissioning), and final inspection and testing (for example, at handover), must be consistent with the requirements of the appropriate European Standard(s) (for example, DD CLC/TS 50131-7) and NSI Codes of Practice (e.g., NCP 120, NCP 104, NCP 109, NCP 115), as well as specific contract requirements. Documentation commonly used in the industry includes design and installed system specifications, details of operational checks, handover checklists, completion certificates, certificates of compliance, applications for police response, preventive and corrective maintenance reports, etc. Inspection and test status is established through use of such documentation. 8.5.2 Identification and traceability Unless customers impose special contractual conditions, your processes must reflect the extent of traceability of equipment and/or components, required for your own purposes, such as for reasons of a warranty. Where applicable, each business process must contain provision for identifying specific traceability requirements; that is, installation historical log, false alarm history, security screening in progress and so on. 8.5.3 Property belonging to customers or external providers. Processes for the takeover of installations must be consistent with the requirements of NSI Regulations and codes of practice. BS EN ISO 9001 includes a note to remind organisations that “Customer property can include material, components, tools and equipment, customer premises, intellectual property and personal data”. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 30 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 NSI certificates of approval and Police Issued URNs belong to the NSI/Police Forces and can be withdrawn so should be considered within the clause. 8.5.4 Preservation No additional requirements apply to this clause of BS EN ISO 9001:2015. It is important you should follow manufacturers’ instructions particularly in relation to the use of batteries and to the use of electronic components sensitive to electrostatic charge. The “first in, first out” system of stock control is recommended for batteries and other items with a limited shelf life. 8.5.5 Post-delivery activities Maintenance must be carried out in accordance with the recommendations of, for example, BS 9263, NCP120 and other applicable NSI codes of practice as well as manufacturer guidelines. You must provide adequate administrative and technical support to service personnel including any subcontractors engaged in maintenance and service. You must ensure adequate access to spares at all times. For component and equipment repairs see 8.4.2 of this Quality Schedule. 8.5.6 Control of changes No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.6 Release of products and services No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.7 Control of nonconforming outputs Documented information for the control of nonconforming process outputs, product and services must provide for identification of: • security systems giving repeated problems (troublesome systems). • inadequate monthly servicing (maintenance) performance. • temporary disconnections. • non-conforming security system installations. • defective components. • complaints from any parties; and • any other type of nonconforming product as determined by the organisation. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 31 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 A process must be in place to ensure customers and alarm-receiving centres are informed in writing of any known change to the level of police response afforded to a security system. Means for identifying nonconforming products may be found in other parts of the QMS, for example through technical auditing of systems and through investigation of customer complaints. Corrective action forms under a corrective action process may be used as a means for documenting the existence of nonconforming products and ensuring appropriate corrective action is taken. 9 Performance evaluation 9.1 Monitoring, measurement, analysis, and evaluation 9.1.1 General You must have a process for the management of complaints (see clause 8.2.1). This process must cover all complaints whether they are from directly contracted customers or from stakeholders including the police and the insurers. This process (or a separate one) must also cover situations where we contact you about a complaint made to us about your organisation. The process for management of complaints can be included in the process(es) for the control of nonconforming products (see 8.7) or can be a standalone process. 9.1.2 Customer satisfaction You must monitor customer perceptions to assess how effectively their requirements are being met. Sources of information on customer perception could include: • the outcome of customer satisfaction surveys. • the number of sales arising from recommendations. • the number of installations taken over by competitors. • the number of installations deemed as “troublesome” for reasons attributable to your organisation (including shortcomings in subcontracting arrangements). • complaints against your organisation; • letters of commendation received from satisfied customers. • other sources as determined by you. • trends in false alarm performance; and SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 32 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 • warranty claims The maintenance of good relationships with customers is a significant factor affecting the success and growth of any business. Concern for the customer should be part of the overall business strategy. You should set out to avoid complaints. When complaints do occur, the objective should be to come out of each situation with a strengthened relationship with whoever is complaining. 9.1.3 Analysis and evaluation Your analysis of data must include the provision of information relating to: • customer satisfaction (see clause 8.2.1); • external suppliers of products and services (see clause 8.4); and • core business processes. In relation to customer satisfaction, you must analyse the causes of complaints. The analysis must form part of the input to management review (see clause 9.3.2). The main purpose of the analysis is to assist you in deciding on appropriate corrective action with a view to improving customer satisfaction and reducing future incidence of complaints. The following analysis of rectified complaints by cause code’ is suggested: a) Unsatisfactory work (relating to fixing and finishing). b) Unsatisfactory installation (relating to performance or safety). c) Disputed service charge. d) Failure to meet service contract (including corrective maintenance). e) Lack of timely response to enquiries and complaints. f) Dispute over rental/maintenance charge. g) Behaviour of organisation’s personnel. h) Behaviour of subcontractors (if used). i) Accounts dispute (not emanating from one of the items listed above). j) Other (use text). You must examine causes of complaints at appropriate intervals and make and document suitable decisions or recommendations regarding corrective action (for example, in relation to common causes of complaint). For Electronic Security Systems, the following must be recorded and maintained as documented information: SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 33 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 • (Intruder and Hold-Up alarms only) False alarm statistics reviewed by the Systems Performance Executive on an ongoing basis (see BS 8473). Such statistics and trends must also form part of the Management Review. • The level of achievement for preventive (routine) maintenance performance. This information must also form part of the Management Review (as well as providing the information necessary to deliver any corrective actions that may arise). • The level of achievement in respect of four-hour response for Intruder and Hold-Up alarm systems or the contracted Service Level Agreement (SLA) for VSS (CCTV) and Access Control Systems to requests for corrective (i.e. emergency) maintenance. This information must also form part of the Management Review (as well as providing the information necessary to deliver any corrective actions that may arise). 9.2 Internal audit The requirements are as specified within BS EN ISO 9001:2015, with the clarification that the audit programme must include the following: a) Technical auditing of the work of each installing technician (including any subcontractors) using appropriate installation checklists encompassing the specific requirements of the standards and codes of practice for the security systems installed (intruder and hold-up alarms, VSS (CCTV) video surveillance systems and/or access control). b) Technical auditing of each commissioning technician (if such technicians are used solely for commissioning work) using appropriate commissioning checklists encompassing the specific requirements of the standards, codes of practice and manufacturers’ documentation for systems installed. c) Technical auditing of the work of each maintenance technician (including any subcontractors) using appropriate maintenance schedules encompassing the specific requirements of the standards and codes of practice for the security systems maintained and using installation checklists (as detailed immediately above) to confirm the standard of installations. d) You must plan, establish, implement and maintain an internal audit programme which must include a statement (or statements) of the frequency at which audits shall be undertaken (a minimum of one per technician (including any subcontractors) over a twelve-month period) and the person(s) nominated by the organisation to undertake the audits. You must also define the steps to be taken if the installations selected fail to meet the specified criteria and you must include a reference to training needs and/or an increase in the frequency and number of audits. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 34 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 Your capability to monitor standards of installation and service is an auditable element of NACOSS Gold and you must be able to demonstrate you are capable of identifying all your own nonconformities. 9.2.1 Selection, auditing, and review of subcontractors In accordance with BS EN ISO 9001, thorough and effective processes must exist for the selection, auditing, and periodic review of subcontractors. The level of auditing of subcontracted work must not be less than the level of auditing that is applied to work undertaken by the organisation’s own staff personnel. Where the auditing of the work of subcontractors is undertaken by a subcontractor company by, through, or under which the subcontractor is engaged, you must inspect the audit documents and carry out audits of installations to verify the standard of the subcontracted audits and periodically you must accompany the subcontractor’s auditor on witnessed audits. You must retain information on the audits and checks you carry out. 9.3 Management review 9.3.1 General The general requirements set out in clause 9.3.1 of BS EN ISO 9001:2015 apply. We recognise there are different views as to who are the top management personnel who should carry out the management review. Each case has to be considered on its own merit, particularly in large multi-layered organisation organisations such as PLCs. For example, it may not be practical or necessary for all directors to be present at the management review meetings if, when interviewed on actual audit, they can demonstrate awareness of all significant issues raised at the meetings. 9.3.2 Management review inputs Top management must review the organisation’s quality management system which must include, but not be limited to, the following areas as appropriate to the type of security systems installed: • The status of actions from previous management reviews. • Changes in internal and external issues that are relevant to the quality management system (including changes in legislation, and changes in police policies). • Information on the performance and effectiveness of the quality management system, including trends in: SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 35 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 o customer satisfaction and feedback from relevant interested parties (including the analysis of complaints); o the extent to which quality objectives have been met; o process performance and conformity of products and services (including performance and trend analysis for routine maintenance, response to emergency call outs and false alarms (where applicable); o non-conformities and corrective actions; o monitoring and measurement results; o audit results; o the performance of external providers (including suppliers, subcontractors and alarm receiving centres); and o effectiveness of continual improvement initiatives. • Adequacy of resources (including human, equipment, and facilities). • The effectiveness of actions taken to address risks and opportunities. • Opportunities for improvement (including assessment of new software and hardware). • Review adequacy of Quality Policy and Quality Objectives. • Training needs and requirements. • Infrastructure (when appropriate). • Evaluation of legal compliance. 9.3.3 Management review outputs No additional requirements apply to this clause of BS EN ISO 9001:2015. 10 Improvement 10.1 General No additional requirements apply to this clause of BS EN ISO 9001:2015. 10.2 Nonconformity and corrective action You must have effective process(es) for the development and implementation of appropriate corrective actions where a nonconforming process output, product or service is identified, including false alarms, substandard installations, poor service performance and customer complaints to prevent the recurrence of the nonconformity. SSQS 101 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NACOSS Gold Approval NSI reference only Document no. SSQS 101 Issue no. 9 Issue date November 2024 Page 36 of 36 Document owner Director of Technical Services and Field Operations Document classification PUBLIC (RESTRICTED) © NSI 2024 Clause 10.2 of BS EN ISO 9001 makes it clear that the organisation must take action to eliminate the causes of nonconformities to prevent recurrence and that nonconformities include customer complaints. You must carry out root cause analysis to find the causes of nonconformities to support the corrective actions taken in response to nonconformities. You must retain sufficient documentation to provide evidence of the nature of any nonconformities identified and subsequent corrective actions and you must retain evidence of the results of this corrective action. As a minimum, this retained information must include evidence of the review of audit results, service reports, false alarm statistics, and customer complaints. 10.3 Continual improvement No additional requirements apply to this clause of BS EN ISO 9001:2015. Measures in 10.2 and 10.3 are not exhaustive. Corrective actions and opportunities for continual improvement may apply to other areas of the quality management system.