Search results

Doubt in filling in documents

Doubt 1: Some of the links pointed out in the comments are no longer available, is there an update?

Answer: First of all, sorry for this situation.

Please provide information about the missing links and we will send you the correct ones.

Doubt 2: Some documents mention “[position]”, I would like to know what is the most advisable way to change this variable? If for an existing position even if that position is in several functions or fill with a position to be created but which will temporarily be occupied by the same person?

Answer: First is important to note that both approaches are acceptable to fulfill the standard’s requirements. The suggested approach is to use the position that will be responsible for the activity in the long term, regardless of the person that will be designated for it. This way you will minimize the need to update the document to change the responsible position.

Comments for each [position] suggests which job titles you might use. Also, included in the toolkit you have access to video tutorials which show how these positions could be filled out for some documents.

For further information, see:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

Question 3: How can I find out which laws are mandatory for my company/situation?

Answer: For this situation, our recommendation is for you to look for local legal advice.

As for a starting point, you can use the information in this link:
- Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

Documents considered as next-level projects

1 - As you mentioned during the meeting, the following documents should be considered as next-level projects since they are not needed for our company. Am I correct in that assumption?

04.2_Cloud_Security_Policy_Cloud_EN.docx

04.3_Policy_for_Data_Privacy_in_the_Cloud_Cloud_EN.docx

If you want to be compliant with ISO 27001 only, and not with ISO 27017 and ISO 27018, the 2 documents you mentioned are not needed; also in the Statement of Applicability, you need to take into account only the 114 controls that are related to ISO 27001.

2 - Furthermore, I would appreciate it if you could see the attached and tell me which step you mentioned is not applicable to us? (If any)

Please note that to implement ISO 27001 you will have to go through all the folders listed in the toolkit. By consulting the List of Documents file that comes with your toolkit you will identify which documents need to be implemented to fulfill standards requirements (e.g., Information, Security Policy, SoA, etc.), and those that are recommended to be implemented because they are considered as good practice (e.g., Procedure for Corrective Action).

Mock examples

Yes, I agree with this approach. The point here is that you need to prove that you have a system in place, and that system is applicable for any type of medical device or component.

Internal Auditing specifics

“Do you have a white paper or any documented evidence that will support the case of those requirements relating to ISO auditing that you an share - especially ALL clauses and over what time span?"

Answer:

The requirement about auditing all clauses every year it is not in ISO 9001 but in the contract that you sign with the certification body as one of the commitments required. Same for at least one management review per year.

“the internal auditing process needs to be audited by a qualified person independent of the activity”

Answer:

Any function relevant to the quality management system must be performed by a competent person. It is up to each organization to determine internal auditor competence requirements. About independence, please check ISO 9000:2015 definition 3.13.1 where one can read that an audit is “systematic, independent and documented process”. That is why auditors should not audit their own work.

The following material will provide you more information:

• ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
• free online training ISO 9001:2015 Internal Auditor Course
  – https://advisera.com/training/iso-9001-internal-auditor-course/ 
• book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

AS 9100 Certification Body

A certification body is an independent third-party organization that will audit your management system for the purposes of “certifying” that your QMS meets all of the requirements of a standard, such as AS9100 (however, any management system can be certified). Certification bodies differ around the world, and are accredited by what is called an accreditation body who will ensure that they are following appropriate management system audit processes.

AS I can’t really tell you for your location in the world who to choose, I would suggest searching what your national accreditation body is, then on their website they will have a listing of the certification bodies that they approve. From here you can determine which ones can certify for AS9100. Then, it is best to interview several certification bodies to find one that is best suited for your particular organization and type of aerospace industry.

When you interview some certification bodies you can use our checklist to make sure that you choose one that will best help your organization. You can find it here:  List of questions to ask an AS9100 Rev D certification body, https://info.advisera.com/9100academy/free-download/list-of-questions-to-ask-an-as9100-certification-body

Compliance review

To look for if a company is certified, you can ask it who its certification body is, and its certification number, so you can verify if the certification is in good standing.

Regarding the evaluation of its security posture, you can ask for its Statement of Applicability (which contains information about applied controls), and the latest performed certification body’s audit report (which will inform the results of the latest audit performed by the certification body).

Please note that, unless you have a contract with this company ensuring the release of the SoA and audit report, the release of these documents is a decision of the company (in this case, if they decide to release the documents, they probably will require the signing of a Nondisclosure Agreement with your company).

This article will provide you a further explanation about the Statement of Applicability:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Knowledge management (7.1.6)

I recommend thinking about clause 7.1.6 together with clauses 5.3 and 7.2.

Start with clause 5.3, determine which functions are relevant for your quality management system (QMS). Then, for each function determine its authorities and responsibilities.

Now, go to clause 7.2 (immediately after 7.1.6), and for each relevant function of your QMS determine if there are any competence gaps. How can you determine competence gaps? Before evaluating competence, you must determine what is required in terms of organizational knowledge for each function to perform authorities and responsibilities properly.

So, for the first part of clause 7.1.6 that is how I work, determine the knowledge required to perform a particular relevant function and include that in the job description. For example, if your organization starts onboarding a new employee what kind of training and experience must be provided to operate competently? For example, that new employee must learn to work with the company’s software, must learn company’s products codes and references, …

For the second part of clause 7.1.6 I invite you to see this answer that I wrote that also include links to articles about this topic - https://community.advisera.com/topic/iso-9001-organizational-knowledge/

Nonconformance vs Nonconformity

You are right ISO 9000:2015 does not provide a specific definition for the term "nonconformance" in its standards. However, it uses related terms like "nonconformity" and "conformity" in ISO 9001 and other quality management standards.
 
While these terms are often used interchangeably, a nonconformity is a more precise term and is the one formally used in ISO 9001 to describe instances of noncompliance with the standard's requirements. Nonconformance, on the other hand, is a broader term that can encompass various types of failures to meet quality criteria. Many times people use them to differentiate a nonconformity according to clause 8.7 from a nonconformity according to clause 10.2.

If you search the word “nonconformance” in this site, you will see that it is used very commonly by those asking questions.

Use of Correction Fluid

I have no experience in the microfinance industry, but I know of several industries, like the pharmaceutical, where correction fluid is forbidden.

Where do we use correction fluid? To correct a mistake in something written in a form, for example. But someone can also use correction fluid to change some correct information and introduce a lie. So, correction fluid can erode the quality of the information that resides in a record, something that we assume to be a faithful photograph of the reality that happened can become false.

Now, let us go to ISO 9001:2015 clause 7.5.3.1 b) and to that protected from loss of integrity. The use of correction fluid may put in question the integrity of information recorded, and records are the memory of an organization.