Search results

Procedure Manual

No, normally, a procedure manual is not the same thing as a quality manual.

A procedure manual, normally, is considered as a compilation of all procedures of an organization. A quality manual, normally, is a document where the quality system of an organization is described together with its quality policy. Both manuals are not mandatory according to ISO 9001:2015.

Let me remark that I think that in older versions of ISO 8402, the vocabulary standard that became obsolete in 2000, there was a note saying that the sum of all procedures could be the quality manual. However, I never saw that approach followed in practice.

ISO 27001 new version and becoming a consultant

1 - My company is intended to implement iso27001:2013, But I've heard that new version is coming, And I need to know if I start at the beginning of next year does the new version will affect me specially if I use your toolkits. Will it be updated.

Please note that ISO 27001:2013 was indeed in 2019, but it was confirmed as the current standard, so no changes will be required for those organizations already certified, or in process of certification of this version of the standard (the version of the current standard will still be 2013, not 2019). There is also no need to update our toolkits by this date.

For more information, please access this link: https://www.iso.org/standard/54534.html

2 - Next part is personally, after implementing the standard in my company , I would like to do my own business in iso 27 as consultant so Need your advice please.

To become an ISO 27001 consultant, the first step is for you to decide which path you want to follow considering security management or security assurance (i.e., security audit), and for these areas, you have the following ISO 27001 certifications you can follow:

• ISO 27001 Lead Implementer – this certification recognizes people who have competency in the ISO 27001 implementation process.
• ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISM S against ISO 27001 requirements and want to become certification auditors (and with this provides more confidence to an organization for being certified).

These articles will provide you a further explanation about ISO 27001 personnel certifications:

• What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
• What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
• Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

For courses related to these certifications, please see:

• ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
• ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

After certification, you should acquire experience in the field, and the most common ways are to work inside your current company implementing information security, or working for an established consultant.

For more information about how to become a consultant, please read:

• How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/

Documents needed to implement QMS 9001

An auditor does not implement documents. An auditor does audits. While implementing a quality management system according to ISO 9001:2015 the mandatory documents and records can be seen in this article – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
 

You can find more information about documents, and records below:

• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
   

Risk Assessment in an Auto Repair Workplace

As ISO 45001 does not require one risk assessment method, there are many to choose from. Some people who are used to using the Failure Modes & Effects Analysis (FMEA) in design will use a similar method where they assess the severity, occurrence and detection of a hazard using a scale for each to assess the risk. If you are not familiar with the FMEA, or your hazards are not overly complicated, this method can be very complex.

As risk is defined as the combination of severity and occurrence. I like to use a grid for this; either a 2X2 or a 3X3. On the up and down axis of the grid you plot severity from low to high, and on the horizontal axis you plot occurrence from low to high. On the grid when a hazard is high occurrence and high severity it is in a red area, low severity and low occurrence is in a green area. This makes it easy to look and see which are the worst hazards that should be better controlled.

You can read a bit more on hazard assessment in the article: How to identify and classify OH&S hazards, https://advisera.com/45001academy/blog/2015/05/14/how-to-identify-and-classify-ohs-hazards/

Audit findings

Without specific information about the findings’ statements and the context of your organization, it is not possible to provide a more proper answer.

Even though your ISMS scope is focused on procurement system, you will still need to have employee records related to e.g. training (these are mandatory ISMS records), and you will need to protect those records as well.

ISO 22301 question

1. Hi, my company purchased templates from you for 22301. As I look through some of the docs I'm seeing some discrepancy in how documents are named and referenced (eg, Business Continuity Management Policy v Business Continuity Policy).

Answer: Please note that Business Continuity Management Policy and Business Continuity Policy are similar terms, covering the practices to provide the capability to continue the business’ operations with a minimum agreed quality level in case of a disaster. The use of the term “Business Continuity Management Policy” is normally used when the policy is related to the ISO 22301 standard since this standard defines requirements for a business continuity management system.

2. I have a question on the "Risk Treatment Plan": according to 03.1, this document template should be in the 04 Toolkit Folder, but I do not see it in our package. Is this Plan just another title for the Methodology, or am I missing a document template? Thank you for your help!

03.1 Business Continuity Policy refers in Paragraph 3.3 to a Risk Treatment Plan, which I don’t see elsewhere in your list of documents. Is this the same as one of the documents in the 04 Risk Assessment and Treatment folder?

Answer: First of all, sorry for this confusion.

Please note that the risk treatment plan for ISO 22301 refers to a set of documents rather than a single document included in folder 07 Business Continuity Plan (i.e., the Business Continuity Plan and its annexes).

Its implementation is better explained in section 3.2 of template Business Continuity Strategy, located in folder 06 Business Continuity Strategy.

For further information, see:
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

Extended controls documentation

It is fine you use only the complementary document which covers the specifics of ISO 27017 and ISO 27018.

However, please be advised that these documents were made for companies that want to implement all 3 standards (ISO 27001, ISO 27017, and ISO 27018), and that ISO 27017 and ISO 27018 sections are not specifically marked in the text.

By the way, in case you do not need the Disposal and Destruction Policy, the Change Management Policy, and the Backup Policy as separate documents, you can skip those and use only the Security Procedures for the IT Department (the content of these policies is included in this template).

Business Impact Analysis Methodology

Please note that for some processes or services there are periods when they are more required, or need to provide more outputs, and these should be identified to help determine minimum business requirements.

For example, for a store, sales near commemorative dates (e.g., Christmas, Easter, Valentine’s Day) are considerably higher, and when planning minimum business continuity objectives you should consider them.

For further information, see:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

Mass pieces

To start off, the balance needs to be calibrated by a calibration laboratory periodically. To ensure that equipment is fit for purpose, namely the balance in this case; and to provide metrological traceability for a test to be performed; the test laboratory must perform intermediate checks to ensure that the calibration is still valid. This is known as verification which is usually performed on use or on a daily basis. The mass pieces used for verification must also be fit for purpose. This means you should have mass pieces that cover the range of use of the balance and have calibration certificates for the mass pieces. This should indicate that they are fit for purpose, meaning the accuracy and the measurement uncertainty is acceptable. Note that there are various classes of weights as per ASTM and OIML that are matched to the class of the balance. See OIML R 111-1 (E) Edition 2004 available at https://www.oiml.org/en/files/pdf_r/r111-1-e04.pdf.  The laboratory must ensure both the balance and mass peices are suitable to provide the resolution and accuracy required.

For more information on associated calibration intervals, refer to ILAC G24:2007 Guidelines for the determination of calibration intervals of measuring instruments (note currently under revision) available for download at https://ilac.org/?ddownload=818 

For more information, have a look at

The article: What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
The ISO 17025 toolkit document template: Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure/

Facilitating training of medical devices organization for their management

A person who performs education about ISO 13485:2016 must have some proof that he/she understands all necessary requirements which are specific to the medical device manufacturer. This proof can be a certificate for the ISO 13485:2016 Lead auditor or experience with work in medical device manufacturers. ISO 13485:2016 has some specifics which can be seen only in that standard, therefore understanding and knowledge of ISO 13485 are necessary.