Search results

Scope

In this scenario, you can simply state in the ISMS scope document, section 3.4 Exclusions of the scope, that servers and networks related to companies B and C are not part of the ISMS scope.

You can access the ISMS scope for editing by clicking on the “Compliance” link in the left-side panel and then “Implementation steps.” From there, you can access the step related to the ISMS document scope and edit it.

For further information, see all you need to know about setting the ISO 27001 scope.

This tool for defining the ISO 27001 ISMS scope can also help you.

Design exclusion

I don’t know if I have all the relevant data from your situation. Based on the information supplied I highlighted two topics:

• part of design and construction
• validation done by external party 

I would not exclude design from the scope of your management system. Why? Because:

• The customer provides part of the design inputs (common situation), but your company does design too.
• Validation done by external party is a very common situation, that is why design validation is different from design verification. Validation is done by the client or someone on its behalf when design inputs were provided by a client. 

You can find more information here:

• ISO 9001 Design Verification vs. Design Validation
• What clauses can be excluded in ISO 9001:2015?
• Enroll for free course - ISO 9001:2015 Foundations Course 
• Book - Discover ISO 9001:2015 Through Practical Examples 

Internal audit checklist and report combined

Your approach of combining the Internal Audit Report and Internal Audit Checklist is not very common, but probably will be acceptable for the certification audit. However, we feel this will take too much time so it is probably better to use the Internal Audit Checklist and the Internal Audit Report separately. 

Whatever approach you take, make sure that you include all elements from the Internal Audit Report.For more information, see:

• ISO 27001 internal audit: The complete guide https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/#section5

• ISO 27001 Clause 4 - Scope

  The company’s ISMS scope can be different from the certified ISMS scope (i.e., the certified ISMS scope can be only part of the actual ISMS scope).

  Considering the difference, the certification auditor can proceed with the certification audit considering only the initial scope defined in the Audit Application Form (Sales and Marketing departments will not be audited). In case of a successful audit, only the scope defined in the Audit Application Form will be considered certified.

• Certification for both 9001 and 27001

  1- What are the common activities / interview meetings / deliverables?

  After getting support for your project (through approval of the ISMS-QMS project plan) and approval of the Procedure for Document and Record Control, these are the common steps and deliverables:

  1) defining ISMS-QMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;

  2) performing people training and awareness;

  3) performance monitoring and measurement;

  4) performing internal audit;

  5) performing management critical review; and

  6) addressing nonconformities, corrective actions, and opportunities for improvement.

  The definition and execution of the information security risk management process are specific to ISO 27001, while the planning and realization of products and services are specific to ISO 9001.

  For further information, see how to implement integrated management systems.

  2 - Can a department interview approach be taken?

  I'm assuming your question refers to the standard's implementation.

  Considering that, a department interview approach is possible, but you need to remember the ISO management standards are process-based, so in a department interview it will be easier for the project to also consider the processes performed by the department.

  3 - Is the risk assessment and treatment plan common to both standards or only specific to 27001?

  Please note that risk assessment for each standard has different purposes and different assessment criteria, so at the moment we do not see a practical way to combine risk assessment according to ISO 27001 and ISO 9001 in a single plan. It is better to do a separate risk assessment for ISMS and for QMS.

  4 - How does the certification audit work in this case?

  In this case, you need to contact your certification body to explain you wish to go for an integrated certification audit. The details on how this certification audit will be performed need to be aligned with the certification body.

  5 - What does it take to undertake both projects at the same time ( in terms of additional time and resources)?

  Since these standards have some requirements in common, you can save approximately 30% of time and resources during the implementation.

  6 - Do you recommend to work on both 9001 and 27001 certification at the same time?

  Implementing both standards at the same time is recommended when you have:

  • a customer demand or legal requirements to fulfill
  • additional resources to allocate in the implementation

  If these are not you case, you can think about implementing one standard think the common requirements for both standards, and when you have more resources you may start implementing the remaining requirements.

• Risk Management Requirements

  It is not clear whether you are referring to your own internal audits or accreditation body assessments.

  Any missing or noncompliant process or activity is a non-conformance (NC). Common examples are incomplete method validations or lack of recorded personnel competency.
  ISO 17025 does not require a classification as major or minor. The impact must be assessed by the responsible persons on a risk basis.
  Typically however, a Major NC would be a missing or deviant critical requirement, i.e. systemic problem  (e.g. no Management review performed, ineffective or incomplete audit programme, or absence of critical environmental monitoring) whereas a Minor NC would be a missing activity, such as mandatory environmental monitoring record not completed for a day. If not evaluated and addressed minor NC could become a major risk.

  For more information on ISO 17025 requirements, have a look at 

  • The landing page ISO 17025 – Where to Start? https://advisera.com/iso-17025/,
  • The article ISO 17025 technical internal audit: The basics at https://advisera.com/17025academy/blog/2020/11/10/iso-17025-technical-internal-audit-the-basics/.
  • A previously answered question https://community.advisera.com/topic/non-conforming-work/  
  • The article https://advisera.com/17025academy/blog/2020/11/04/corrective-actions-principles-and-root-cause-analysis-in-iso-17025
  • Other Advisera Academies' resources for background, for example, Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

• Risk assessment: multiple vulnerabilities for the same threat

  In this case, you include one row for each control used to treat the same risk. For example, if you want to use 3 controls to treat the same risk, then you will have three rows with the same risk and one for each control.

  This way, you will have a better notion of how each control impacts the risk (some controls may impact only likelihood or only impact), and you can evaluate if all controls are really necessary (i.e. if you are not including excessive controls).

• Calibrating laboratories

  ISO 17025 is applicable for testing and Calibration laboratories. ISO 17025 has clear Reporting Result requirements in clause 7.8 and specifically for calibration reports in clause 7.8.4 Specific requirements for calibration certificates.

  Depending on your activities, certain ISO 17025 requirements will not be relevant, for example, Sampling (clause 7.3); whereas others will need more detail, for example, evaluation of Measurement uncertainty (clause 7.6). Measurement uncertainty must be evaluated for all calibrations and reports. The accreditation body requirements are typically documented, with reference to ILAC (The International Laboratory Accreditation Cooperation) policies and guidelines.
  
  See too, Appendix A3 Demonstrating metrological traceability, where Calibration and measurement capabilities are addressed for calibration laboratories. The Scope must be defined clearly, according to the accreditation body programs.
  
  Furthermore, careful consideration of decision rules must be made as typically for calibration, a statement of conformity to a specification or standard for the calibration (e.g. pass/fail, in-tolerance/out-of-tolerance), is made. For more information refer to https://ilac.org/publications-and-resources/ and become familiar with ILAC G8:09/2019 Guidelines on Decision Rules and Statements of Conformity and ILAC P14:09/2020 ILAC Policy for Measurement Uncertainty in Calibration.

  Have a look too, at https://advisera.com/iso-17025/, for more information on /iso 17025 requirements.

• ITP and Welding Inquiry

  We do not have inspection test plans for fabrication and welding. Laboratories that test materials are accredited to ISO 17025 while inspection bodies are to the ISO 17020 standard. ISO 17025 assessment checks are applicable for testing activities, not inspection. It is ISO 17020 that covers the activities of inspection bodies. The test plans of course would cover requirements and standards specific to the welding and fabrication industry. The inspectors in most cases, would also require personal certification, to provide competence assurance. I suggest you contact your professional association / regulatory body for further information.

• Prioritizing implementation of ISO 9001 over ISO 17025 in laboratory

  ISO 17025 is the applicable standard for a testing or calibration laboratory to claim technical competency for methods on their scope of work. That said, as ISO 17025 is often a voluntarily adopted standard; if it is not a mandatory requirement for a laboratory, they could start with ISO 9001 implementation and achieve ISO 9001 certification whilst implementing the technical aspects of ISO 17025. Once they are working in accordance with ISO 17025, the laboratory can apply for accreditation, if that is a quality objective.

  For more information on ISO 17025 refer to Advisera ISO 17025 – Where to Start?