Search results

Exclusions of the ISMS scope

You are basically right - if the HR department is outside of the ISMS scope, from the ISMS point of view it will have the same status as a third-party provider; of course, legally speaking, your HR department is not a third-party provider, but a organizational unit of your company.

• All you need to know about setting the ISO 27001 scope

• Tool for defining the ISO 27001 ISMS scope

• Procurement and ISO 9001

  To align procurement with ISO 9001:2015, organizations need to consider the following:

  • Supplier Selection: ISO 9001 emphasizes the importance of selecting and evaluating suppliers. When procuring goods and services, organizations should choose suppliers that meet quality and performance requirements.
  • Supplier Audits: Organizations can conduct supplier audits to ensure that suppliers are conforming to quality and performance requirements set by the organization.
  • Quality Requirements: When procuring products or services, organizations should clearly communicate their quality requirements to suppliers. This includes defining specifications, standards, and other quality-related criteria.
  • Control of Purchased Goods and Services: ISO 9001 requires organizations to have processes in place for the control of purchased goods and services. This includes inspection, verification, and validation of products or services received from suppliers to ensure they meet specified requirements.
  • Monitoring and Improvement: ISO 9001 mandates ongoing monitoring and improvement of the quality management system. This extends to the procurement process, where organizations should track supplier performance and take corrective actions when necessary.
  • Continuous Improvement: ISO 9001 promotes a culture of continuous improvement. Organizations should use data and feedback from the procurement process to identify areas for improvement, enhance supplier relationships, and ultimately enhance the quality of the products or services they deliver to customers. 

  You can find more information at the following link:

  • Purchasing in QMS - The Process & the Information Needed to Make it Work - https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/

  • Creating the Register of Legal, Contractual, and Other Requirements

    First is important to note that in this module, you need to list only the requirements of customers and regulators you need to comply with. Requirements related to suppliers are handled only in case there are risks that justify handling them.

    Considering that, you should list each regulation as a unique entry because they are typically related to a specific reference (e.g., data privacy in Europe refers to GDPR and in Brazil to LGPD).

    Regarding clients, you can group the clients with the same requirements together (e.g. if you have the same agreement signed with all of them), or you should list them separately if their security requirements are very different.

    Regarding the level of detail, you can include only a summary of the requirement and refer to another document where more detailed information can be found. 

  • Is it mandatory to use a consultant for QMS and should we request a certificate from the auditor?

    ISO 9001:2015 does not specifically require organizations to use a consultant for QMS implementation or to acquire an auditor's certificate. ISO 9001 emphasizes that organizations are responsible for developing, implementing, and maintaining their QMS

    The decision to engage a consultant or acquire auditor certification is typically at the discretion of the organization. Many organizations choose to work with consultants for various reasons, including expertise, guidance, and resources. However, this is a business decision and not a mandatory requirement outlined in the ISO 9001 standard.

    It's important to note that while the ISO 9001 standard doesn't mandate these activities, organizations should ensure that their chosen consultants or auditors are qualified and competent to provide the necessary expertise and meet the standard's requirements. Additionally, some industries or sectors may have specific regulations or customer requirements that influence the use of consultants or auditors, but this is not a requirement dictated by the ISO 9001 standard itself.

    You can find more information below:

    • How to become an ISO 9001 consultant - https://advisera.com/9001academy/blog/2016/11/15/how-to-become-an-iso-9001-consultant/
    • How to choose an ISO 9001 consultant - https://advisera.com/9001academy/blog/2019/11/12/iso-9001-consultant-how-to-hire-the-right-one/
    • How to sell your ISO 9001 consulting services - https://advisera.com/9001academy/blog/2017/06/20/how-to-sell-your-iso-9001-consulting-services/
    • Free webinar on demand – How to sell ISO consulting services - https://advisera.com/9001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/
    • Enroll for free course - ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
    • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • How to write a separate strategic risk assessment?

    To define strategic risk assessment separately from operational risk assessment and assign appropriate rankings, first, identify strategic risks that could affect your long-term objectives, such as market changes or regulatory shifts. Develop a unique set of criteria for strategic risks, considering their impact and likelihood
    For these strategic risks I use clauses 4.1, 4.2 and 6.1.1. Please check this free webinar-on-demand - How to Implement Risk Management in ISO 9001:2015 slide 11. Although it is about ISO 9001, I think it can help.
     
    For operational risks, focus on environmental aspects and impacts and consider abnormal and emergency situations. Then, assign rankings based on the specific criteria for each category. Strategic risks may receive rankings based on their potential impact on long-term goals, while operational risks are ranked according to their daily impact and likelihood.
     
    You can find more information in:

    • ISO 14001 risks and opportunities vs. environmental aspects
    • The role of risk management in the ISO 14001:2015 standard

  • Writing standard operating procedure

    As the purpose of a standard operating procedure is to minimise deviations by standardising the process,  documenting a process as an SOP starts with knowing the risks and critical steps that should be controlled and carefully communicated. The depth of detail in the SOP will depend on the context of your laboratory, for example, the number of people performing the task and their competency.

    Standard operating procedures for any laboratory are typically divided into two categories – Management (nontechnical) and technical. An example of a management procedure would be for handling non-conformances and corrective actions. Technical SOPS could either document, for example, the approach to method validation or document the test methods itself.  As the purpose is to minimise deviations by standardising the process,  documenting a process as an SOP starts with knowing the risks and critical steps that should be controlled and carefully communicated. The depth of detail in the SOP will depend on the context of your laboratory, for example, the number of people performing the task and their competency. Either way, it is recommended that you have a standard format. For more information, have a look at the Advisera Toolkit https://advisera.com/toolkits/?standard=iso-17025 and a previous question. https://community.advisera.com/topic/document-and-record-control-procedure-means-what-are-the-procedure-will-include/

  • TISAX and ISO 27001

    We are not experts on TISAX, but what we know is that the TISAX evaluation criteria are based on VDA Information Security Assessment (ISA), which in turn is based on ISO 27001 Annex A.
    
    ISO 27001 does not require separate offices or areas for IT personnel. However, if you have a legal or regulatory requirement to have separate offices for IT personnel, or during your risk management process you conclude that such offices are required, then you would need to implement separate offices.

  • Security Awareness Training Records

    ISO 27001 does not require attendance to awareness sessions to be recorded (in general, auditors check awareness levels by interviewing personnel), but it is recommended to have such records for a certification audit.

    Advisera's Security Awareness Training automatically creates records of attendance. To download the training report, log in as an admin to your training account and go to "Users." Click the "Training report" button on the top right of the screen, and the PDF report will be downloaded to your computer.

    Check our article that will show you how to perform training and awareness for ISO 27001 and ISO 22301.

  • Clarification Regarding Control Review Frequency in Policy Documents

    Controls can be reviewed at a different frequency than those defined for the review of documents related to them. You only need to ensure that control review results are considered in the next document review. Please also note that, depending upon the controls review results, an immediate review of documents may be necessary. 

    Check our article for further information on performing monitoring and measurement in ISO 27001.