Search results

ISO 9001 and ISO 14001 Management Review and Corrective Action

Even if there are some differences there are many similarities, for instance the cotext of the organization, the policies, etc. The approach is different but you can cover at the same time and this means that you will save time and documentation. In addition you will need just to perform and organize a single meeting instead of 2, so my recomendation is to have a single MR for the integration of the standards adding the specific requirements of ISO 9001.

For more information about an effective integration of the management systems see the following materials:

- How to implement integrated management systems:- https://advisera.com/articles/how-to-implement-integrated-management-systems/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/ foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

IMS Integration

The following elements will confirm that the management systems have been effectively integrated:

- Meet differently implemented standard requirements of your business with a Using a single set of policies and procedures to meet different standard requirements. 
- A single audit that covers all the requirements of the management systems .
- Using singular tasks that cover all the different goals of the individual management systems.
- Roles and responsibilities are clearly defined for all the areas that have an overlap.
- Continuously improve multiple management systems by providing an integrated overview of the systems.

For more information about an effective integration of the management systems see the following materials:- How to implement integrated management systems:

- https://advisera.com/articles/how-to-implement-integrated-management-systems/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/ foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Conformio risk register

1. When ISO 27001:2022 and ISO 27002:2022 changes are expected to show in Conformio?

Answer: Conformio will be updated shortly after the after the ISO 27001 is officially aligned with ISO 27002 changes.

For further information, see:
- 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

2. What kind of actions the changes require from us?

Answer: Once the updated controls are in effect you will have to make certain changes in the Risk Register and Statement of Applicability as well as some documents. There will be guidance provided to make the transition easy and clear.

3. SOA is changing when risks are reviewed, to my knowledge SOA should not have changes during certified period, how is this handled?

Answer: Please note that the SoA is a living document, that can change during the certified period, either due to changes in the risk environment (e.g., when new risks arise or existent risks become bigger/smaller) or of legal requirements (e.g., a new law or contract with customer/supplier).

To handle changes in the SoA you can:
1 – Use Risk register to update risks or Register of requirements to update requirements
2 – Update the SoA itself regarding changes due to other business requirements.

For further information, see:
- How to automate the creation of the Statement of Applicability https://advisera.com/conformio/blog/2021/01/20/how-to-automate-the-creation-of-statement-of-applicability/

4. Is there Risk Treatment Plan in Conformio or do you suppose to use Toolkits RTP?

Answer: The Risk Treatment is embedded in Conformio, and it is available after you conclude the development of the SoA.

ISO 17025 Certification Requirements

For a test method to be included in your scope as an ISO 17025 testing laboratory there are a number of technical requirements required. This includes ensuring the validity of results (clause 7.7) by monitoring an already validated method with the use of suitable checks. One of these is the use of reference material for quality control checks for your instrument and method. The requirement is that you can ensure metrological traceability, meaning all measuring equipment and the reference material must be certified.

Regarding the range – the QC checks must cover the calibration range / range of testing for each batch. As far as how often you should  plan a QC check, it depends on the risk, including the stability of the instrument. I suggest you engage with your supplier of your GCMS for assistance on best recommended practice.

For more information, have a look at

The article: What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
The ISO 17025 toolkit document template: Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure/
The ILAC P10:07/2020 ILAC Policy on Metrological Traceability of Measurement Results available from https://ilac.org/publications-and-resources/

Conformio

1. ISO 27001:2022
How will the new ISO 27001:2022 affect Conformio and created policy documents? Is it wise to already aim for certification against the new standard? Does it make sense to already start implementing the new version and not the old one?

We will start developing an update of both the documents and SoA as soon as the new changes are published and aligned with the ISO 27001. 

A new version of ISO 27001 is expected to be released by the second half of 2022, reflecting the changes of the new ISO 27002 in its Annex A, so you should go for the existing set of controls if you plan to finish the implementation in the next 3 to 6 months. Otherwise, you should go for the new set of controls, to avoid reworking on adapting implemented controls to the new version of ISO 27001 Annex A.

In case your organization is already certified, there will be a transition time before the new ISO 27001 becomes mandatory (generally the transition time is 2 years), so immediate certification against the new standard will not be necessary.

For further information, see:

• 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

2. ISO 27001 marketing
In a video accessible from Conformio, there's a statement that the time for the project manager is 0,5 day/week. That seems like too little to me if it also assumes doing consulting and guiding the organization through the certification process, such as reading, preparing, reviewing and approving documents, or performing the risk assessment and drafting implementation plans for controls. Also such statements undermine the work of project managers and consultants. What is the use of being a Lead Implementer or of all the information on your website if e.g. a secretary could run the project?

Please note that Advisera’s approach with Conformio and documentation toolkits is to allow organizations to implement the ISMS by themselves (documents are almost 90% complete and required minimal customization to cover organizations’ needs), so the main role of the project manager in this scenario is to review organizations’ teams work and make corrections when needed.

The role of the consultant with the Lead Implementer course is useful when an organization asks for a more customized implementation of ISO 27001.

For further information, see:

• Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/
• ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
• RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/

Creating right road map to reach goals in optimal way

Broadly speaking, after getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:

1. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties;
2. development of risk assessment and treatment methodology;
3. perform a risk assessment and define the risk treatment plan;
4. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
5. people training and awareness;
6. controls operation;
7. performance monitoring and measurement;
8. perform an internal audit;
9. perform management critical review; and
10. address nonconformities, corrective actions, and opportunities for improvement.

To see how documents compliant with ISO 27001 look like, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

This article will provide you a further explanation about ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding ISO 27001 implementation:

• Project checklist for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course at this link: https://advisera.com/training/iso-27001-foundations-course/ 

To see how documents compliant with ISO 27001 looks like, please take a look at our ISO 27001 Documentation Toolkit [https://advisera.com/27001academy/iso-27001-documentation-toolkit/] - it will provide you with a step-by-step explanation of all activities you need to perform to become compliant, and it will give you all the documents you need for the certification audit.

ISO 27001/Conformio questions

1. The Risk Register flow seems to be inverted. Can you explain why vulnerability comes before the threat? We were under the impression that we would first need to evaluate the threats related to assets, and then the vulnerabilities.

Please note that threats are relevant only if there are vulnerabilities to be explored by them (for example, it does not make sense to think about controls to protect paper documents if you only handle digital media).

Considering that, by identifying vulnerabilities first you reduce the scope of threats that you need to consider, reducing effort and speeding up the risk assessment and treatment process.

2. Regarding the inventory of assets - in Conformio we have a list of general assets, like computers, but we would like to have a separate document with a list of all the assets within our company, such as which types of computers we use. Is this needed for the successful implementation?

ISO 27001 does not prescribe the level of detail of the register of assets, so organizations can define the detail level that fulfills their needs.

The list of assets provided by Conformio is sufficient for certification purposes, but you can add your own assets in the Conformation asset list or create and include in the documentation your won list of assets.

This article will provide you with further explanation about the asset register:

• Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

ISO 27001 Scope

Your understanding is correct. In sections 3.2 to 3.5 of the ISMS scope document, you will identify how the elements of the scope are separated from the other elements.

ISO 27001 Internal Audit practice and tips

I’m assuming you are referring to an internal audit.

Considering that, to perform an internal audit you should consider these steps:

• Develop an internal audit procedure
• Plan your audits, considering dates, criteria, and scope
• Develop checklists to help you not forget something during the audit
• Elaborate on the audit report which will include the non-compliances and other findings

These articles will provide you a further explanation about internal audit:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
• Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

What to do with legacy documents & materials

1 - I am looking at our options in regards to planning a roll out of an information classification and retention policies and tools to withing our organization to help users identify, classify, and protect sensitive data and assets for ISO 27001.

Currently we have been filing all our information haphazardly in Dropbox. No standards. No management of the Dropbox folders ... so it's a mess. With 27001 we plan to setup a new structure in Dropbox and migrate/convert the Company documents/assets into the ring-fenced folders, and then freeze the existing Dropbox folders, with a long term objective of sun-setting the content.

Is there a tried and tested method for this task. We have limited resources so it will take time to do.

To build a structure that is sound for your business you can consider at least these approaches:

• organize documents by organizational units (i.e., which areas need access to which documents)
• organize documents by processes (i.e., which documents need to be accessed to cover related steps to deliver a defined result – e.g., documents related to payroll)
• organize documents by roles (i.e., which people needs access to which documents)

Considering that, you should follow these steps:  

1. list all documents that need to be accessed
2. identify the documents according to defined criteria
3. create specific folders to group documents that have similar criteria

The toolkits you’ve bought are an example of the organization by process (from document management to corrective actions). You can use them to organize your documents, or as a template to build your own structure.

2 - My other question is, will the auditors want to look at the legacy materials. Our aim is to put an ISO stake in the ground and have all relevant / supporting PowerX docs filed in the new folder structure. For ISO 27001 we will use Dropbox as the DMS, but will most likely migrate to alternative Apps/Software, such as Conformio in 2023.

Auditors will be looking for legacy materials only if they are previous versions of documents being used by the time of the audit, to check if document management criteria related to change control are being fulfilled (e.g., document review, change control, etc.).

For example, if your current Access control policy is an update of a legacy Access control policy, the auditor may want to see this document. On the other hand, if the legacy documents include a Backup policy related to a technology that was discontinued by the time the implementation of the ISMS started, there is no need to access this document.