Search results

22301 certification

Since ISO 27001 and ISO 22301 share many requirements (e.g., document management, internal audit, management review, etc.), the effort to implement the specifics of ISO 22301 (i.e., mainly clauses 6 and 8) is roughly 30% of the cost of ISO 27001 implementation.

Toolkit documents

Please note that the information security roles and responsibilities are defined and allocated along all the templates in the toolkit.

High-level roles and responsibilities are defined in the Information Security Policy, while specific ones are defined in specific policies and procedures.

For example, you can find this type of structure in the Backup Policy:
[job title] must perform backup copies at planned intervals.

[job title] must test backup copies to ensure the backup was performed successfully.

For further information, see this article on documenting roles and responsibilities according to ISO 27001. 

Where is your Continual Improvement policy template?

Please note that ISO 27001 does not prescribe any specific documentation for clause 10.1 Continual Improvement.

Our ISO 27001 Documentation Toolkit covers all mandatory documents and some documents that are not mandatory. A Continual Improvement policy do not need to be documented according to the standard, and in our opinion it would be an overhead to document it in a small company. 

Our toolkit is created specifically for smaller companies that want to implement ISO 27001 in a quick way, without unnecessary paperwork; for larger companies that require more documents we recommend getting some other solution.

This article will also help you: List of mandatory documents required by ISO 27001 (2013 revision)

Commitment to continual improvement is defined in the Information Security Policy, which can be found in folder 05 General Policies.

Examples of how you can demonstrate continual improvement are:

• decrease in the number of incidents and losses due to security incidents
• changes in the ISMS to correct problems or take advantage of opportunities identified during the management review

These articles will provide you with further explanation about continual improvement:
- Why is management review important for ISO 27001 and ISO 22301?
- Achieving continual improvement through the use of maturity models

Exclusions of the ISMS scope

You are basically right - if the HR department is outside of the ISMS scope, from the ISMS point of view it will have the same status as a third-party provider; of course, legally speaking, your HR department is not a third-party provider, but a organizational unit of your company.

• All you need to know about setting the ISO 27001 scope

• Tool for defining the ISO 27001 ISMS scope

• Procurement and ISO 9001

  To align procurement with ISO 9001:2015, organizations need to consider the following:

  • Supplier Selection: ISO 9001 emphasizes the importance of selecting and evaluating suppliers. When procuring goods and services, organizations should choose suppliers that meet quality and performance requirements.
  • Supplier Audits: Organizations can conduct supplier audits to ensure that suppliers are conforming to quality and performance requirements set by the organization.
  • Quality Requirements: When procuring products or services, organizations should clearly communicate their quality requirements to suppliers. This includes defining specifications, standards, and other quality-related criteria.
  • Control of Purchased Goods and Services: ISO 9001 requires organizations to have processes in place for the control of purchased goods and services. This includes inspection, verification, and validation of products or services received from suppliers to ensure they meet specified requirements.
  • Monitoring and Improvement: ISO 9001 mandates ongoing monitoring and improvement of the quality management system. This extends to the procurement process, where organizations should track supplier performance and take corrective actions when necessary.
  • Continuous Improvement: ISO 9001 promotes a culture of continuous improvement. Organizations should use data and feedback from the procurement process to identify areas for improvement, enhance supplier relationships, and ultimately enhance the quality of the products or services they deliver to customers. 

  You can find more information at the following link:

  • Purchasing in QMS - The Process & the Information Needed to Make it Work - https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/

  • Creating the Register of Legal, Contractual, and Other Requirements

    First is important to note that in this module, you need to list only the requirements of customers and regulators you need to comply with. Requirements related to suppliers are handled only in case there are risks that justify handling them.

    Considering that, you should list each regulation as a unique entry because they are typically related to a specific reference (e.g., data privacy in Europe refers to GDPR and in Brazil to LGPD).

    Regarding clients, you can group the clients with the same requirements together (e.g. if you have the same agreement signed with all of them), or you should list them separately if their security requirements are very different.

    Regarding the level of detail, you can include only a summary of the requirement and refer to another document where more detailed information can be found. 

  • Is it mandatory to use a consultant for QMS and should we request a certificate from the auditor?

    ISO 9001:2015 does not specifically require organizations to use a consultant for QMS implementation or to acquire an auditor's certificate. ISO 9001 emphasizes that organizations are responsible for developing, implementing, and maintaining their QMS

    The decision to engage a consultant or acquire auditor certification is typically at the discretion of the organization. Many organizations choose to work with consultants for various reasons, including expertise, guidance, and resources. However, this is a business decision and not a mandatory requirement outlined in the ISO 9001 standard.

    It's important to note that while the ISO 9001 standard doesn't mandate these activities, organizations should ensure that their chosen consultants or auditors are qualified and competent to provide the necessary expertise and meet the standard's requirements. Additionally, some industries or sectors may have specific regulations or customer requirements that influence the use of consultants or auditors, but this is not a requirement dictated by the ISO 9001 standard itself.

    You can find more information below:

    • How to become an ISO 9001 consultant - https://advisera.com/9001academy/blog/2016/11/15/how-to-become-an-iso-9001-consultant/
    • How to choose an ISO 9001 consultant - https://advisera.com/9001academy/blog/2019/11/12/iso-9001-consultant-how-to-hire-the-right-one/
    • How to sell your ISO 9001 consulting services - https://advisera.com/9001academy/blog/2017/06/20/how-to-sell-your-iso-9001-consulting-services/
    • Free webinar on demand – How to sell ISO consulting services - https://advisera.com/9001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/
    • Enroll for free course - ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
    • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • How to write a separate strategic risk assessment?

    To define strategic risk assessment separately from operational risk assessment and assign appropriate rankings, first, identify strategic risks that could affect your long-term objectives, such as market changes or regulatory shifts. Develop a unique set of criteria for strategic risks, considering their impact and likelihood
    For these strategic risks I use clauses 4.1, 4.2 and 6.1.1. Please check this free webinar-on-demand - How to Implement Risk Management in ISO 9001:2015 slide 11. Although it is about ISO 9001, I think it can help.
     
    For operational risks, focus on environmental aspects and impacts and consider abnormal and emergency situations. Then, assign rankings based on the specific criteria for each category. Strategic risks may receive rankings based on their potential impact on long-term goals, while operational risks are ranked according to their daily impact and likelihood.
     
    You can find more information in:

    • ISO 14001 risks and opportunities vs. environmental aspects
    • The role of risk management in the ISO 14001:2015 standard

  • Writing standard operating procedure

    As the purpose of a standard operating procedure is to minimise deviations by standardising the process,  documenting a process as an SOP starts with knowing the risks and critical steps that should be controlled and carefully communicated. The depth of detail in the SOP will depend on the context of your laboratory, for example, the number of people performing the task and their competency.

    Standard operating procedures for any laboratory are typically divided into two categories – Management (nontechnical) and technical. An example of a management procedure would be for handling non-conformances and corrective actions. Technical SOPS could either document, for example, the approach to method validation or document the test methods itself.  As the purpose is to minimise deviations by standardising the process,  documenting a process as an SOP starts with knowing the risks and critical steps that should be controlled and carefully communicated. The depth of detail in the SOP will depend on the context of your laboratory, for example, the number of people performing the task and their competency. Either way, it is recommended that you have a standard format. For more information, have a look at the Advisera Toolkit https://advisera.com/toolkits/?standard=iso-17025 and a previous question. https://community.advisera.com/topic/document-and-record-control-procedure-means-what-are-the-procedure-will-include/