Search results

ISO 9001 in Maintenance Companies

Implementing ISO 9001 in a company that specializes in maintaining refrigeration systems or installing refrigerators, is certainly possible. ISO 9001 is a quality management system standard that can be applied to various types of organizations, including service providers like maintenance companies.

Apply procedure for document and record control only to information security policies in Conformio?

Please note that there is no need to change the text in the procedure to reflect what is stated in Conformio description of the document.

ISO 27001 requires documents and records related to the ISMS to be controlled, so the procedure needs to have the text "This procedure is applied to all documents and records related to the ISMS" as it is.

If you want to apply the same rules outside of the ISMS, you can do it, but there is no need to change this sentence in the procedure.

Can a company be certified by someone who works for them?

Please note that companies can only be certified by certification bodies (independent organizations that employ their own certification auditors for the process).

For further information, check out the differences in accreditation, certification, and registration in the ISO world.

Environmental Aspects Criteria

When identifying significant environmental aspects for an organization, you don't necessarily have to refer exclusively to ISO 14001 criteria, but ISO 14001 can be a valuable framework to guide your efforts. You can consider, for example:

• Legal and regulatory compliance
• Interested parties expectations
• Risks and Opportunities

You can find more information in:

• Catalogue of environmental aspects
• 4 steps in identification and evaluation of environmental aspects

Create a Performance Mindset

To create a performance mindset in accordance with ISO 9001:2015, business leaders should:

Set Clear Objectives: Define clear and measurable quality objectives aligned with the organization's strategic goals.
Lead by Example: Demonstrate a commitment to quality and continuous improvement through their actions and decisions..
Engage Employees: Involve employees at all levels in quality initiatives, encourage their input, and recognize their contributions.
Provide Resources: Allocate resources, including training and technology, to support quality improvement efforts.
Monitor and Measure: Regularly assess performance using meaningful metrics and key performance indicators (KPIs).
Continuous Improvement: Foster a culture of continuous improvement, where identifying and addressing opportunities for improvement is encouraged.
Communication: Communicate the importance of quality and performance to all stakeholders, both internally and externally.
Feedback Loop: Establish mechanisms for feedback and learning from both successes and failures to drive ongoing improvement.
 

By embracing these leadership efforts and approaches, businesses can cultivate a performance mindset that leads to sustained excellence and quality in their operations and outcomes.

I recommend starting with one or two examples that can be used to set an example and motivate the whole team.

You can find more information:

• Article - How to Write Good Quality Objectives
• Free webinar on-demand - Measurement, Analysis, and Improvement According to ISO 9001:2015
   

Is Statement of Applicability required for ISO 14001?

The statement of applicability is a unique part of ISO 27001 where you identify the controls applied, and this is not required for ISO 14001. Both standards have a scope and policy for the management system, but only ISO 27001 has a statement of applicability.

You can read a bit more on the ISMS statement of applicability in the article:

• Statement of Applicability in ISO 27001 – What is it and why does it matter?

A.15.2.2 Managing changes to supplier services

Control A.15.2.2 Managing changes to supplier services can be implemented by means of a change management process considering the following steps:

1. identification of what needs to be changed (e.g., hardware, software, documentation, etc.) and on which systems;
2. assessment of the criticality of the systems, information, and processes affected by the change;
3. re-assessment of the risks related to the systems, information, and processes affected by the change (e.g., current risks that may change, risks that may arise);
4. formal approval of proposed changes
5. development of an implementation plan, including, when necessary, procedures for aborting and recovering from unsuccessful changes and unforeseen events;
6. testing of the proposed changes before and after deployment of changes in production environment
7. communication of changes performed to all relevant persons.

You can use your change management procedure as a basis to manage changes related to your supplier.  

You can read more about managing changes in an ISMS according to ISO 27001 A.12.1.2 on our blog.

Missing ISO27001 References in List of Documents

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/0363839e-433b-4db0-bd3b-c44dcdac5764

Screening and vetting policy

Please note that ISO 27001 does not require a Screening and Vetting Policy to be documented, and this is not a common document used in an ISO 27001 implementation.

Considering that, to reduce the administrative effort in managing documents, guidelines for screening and vetting are included in the:

• Statement of Applicability, as implementation method for control A.6.1 – Screening. The SoA can be found in folder 07 Applicability of Controls
• Supplier security Policy template, section 3.2 – Screening. This template can be found in folder 09 Annex A Security Controls

Asset and Risk Owners - can it be a role and also a name of an employee

ISO 27001 does not prescribe how to define asset/risk owner, so both role and name (used together or separated) are acceptable alternatives, compliant with the standard, for defining the asset/risk owner.

We recommend always using only the role of asset/risk owner because changing a role as owner is less frequent than changing an employee, and this way, you will have less administrative effort. 

For more information, check out how to handle an asset register/asset inventory.

Read this article to find out the difference between risk owners and asset owners.