Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Manage Risk Effectively

    First, ISO 9001:2015 promotes using the process approach. Using the departmental approach is not wrong, but it is not the most effective approach.

    In this free webinar on-demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/ - I show some examples of determining risks and then acting on them. ISO 9001:2015 mentions risk about:

    • Context interacting with interested parties (clause 6.1)
    • Products and services (clause 5.1.2 b))
    • Processes (clause 4.4.1) 

    Your organization is a set of interrelated processes. Each process is a set of activities that transform inputs into desired outputs.

    ISO 9000:2015 defines risk as to the effect of uncertainty. Because there is uncertainty, sometimes we don’t have the expected:

    • Inputs
    • Activities
    • Outputs
    • Results 

    For example, what is a non-conformity? We don’t design processes to deliver non-conformities. So, when a non-conformity happens, we have the manifestation of risk. Non-conformities are potential risks that have materialized. Same for complaints.

    Seen in this way, the risk-based approach is a very effective methodology for developing a plan to control a process, its quality, and its results. The control will materialize, for example, in operations of control, verification, improvements in the process, in work instructions, in improvements in monitoring, in increasing the competence of the participants.

    You can find more information below about risks.

  • Questions regarding ISO27001 documentation

    1 - In the pack that we bought, we can’t find the document regarding Business Continuity Strategy. First I thought that it is the same as the Disaster Recovery Procedure but after having a look here https://advisera.com/27001academy/documentation/business-continuity-strategy/, I found out that this is not the case. Could we receive a .doc italian version of this document, like we did for the rest?

    ISO 27001 aspects on business continuity process (section A.17 from ISO 27001 Annex A) are related to ensuring the availability of information and information systems during either crisis or disaster situations, so a Business Continuity Strategy document is not mandatory for this standard, and you will only need the DRP template included in your toolkit. In this DRP template, in the first row of the table in section 3 you can describe an overview of your Business Continuity Strategy (this will be sufficient for ISO 27001 purposes). 

    2 - All along the instructions we can see that the documents refer to clauses (e.g., A.17.2.1, 7.5…). These clauses sometimes match with the code of controls, other times they don’t. Do these clauses refer to controls or not? If yes, why don't they always match? If not, what do they refer to and is there a list of clauses?

    Please note that references to controls from ISO 27001 Annex A start with “A.” (e.g., A.17.2.1 refers to control Availability of information processing facilities), while references to clauses from the main part of the standard (clauses 4 to 10) start with a number (e.g., 7.5 refers to Documented information).

    This material can provide you more information about ISO 27001 clauses:- Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001 

    3 - In our documents we put the reference documents towards the end of the documents in the same table with the records. Is that ok or is it better to separate them and put the Reference documents at the beginning of the documents like you did?

    You can keep your reference documents as you define them. ISO 27001 does not prescribe this level of detail in formatting documents, so organizations can define the content order as best it fits them.

    4 - In some of our documents/politics we describe the Violations of the Politics in a dedicated paragraph while in your documents we don’t find them. Can we keep these paragraphs regarding Politics Violation or not?

    You can keep your paragraph dedicated to Violations of the Politics in your documents. ISO 27001 does not prescribe this level of detail in document content, so organizations can define the content as best it fits them.

    5 - Can we put a document/section with the Organisation chart emphasising the key figures with responsible roles in ISMS? And linked to this topic two more questions: could we use a RACI matrix in the documents?  Could you suggest the best way to call these figures in Italian?

    Key roles and responsibilities for the ISMS are included in the Information Security Policy template (section 4.4). Please take a look if the information in this section of this template can fulfill your needs. If yes you can include the organizational chart, but you also can develop a separate document to present this chart.

    Regarding the RACI matrix, you can use it in the documents, as a means to provide a quick view about how something needs to be done, but please note that required responsibilities are already defined alongside the documents, and you need to ensure the RACI matrix covers them properly.

    In the Italian version of the toolkit we translated the ISMS roles in various policies and procedures where we found an appropriate term in Italian; the rest are left in English.

  • Microbiology Lab for Implants (Plates and screws)

    The main point here is that these medical devices must be sterile. So I assume they are produced in a cleanroom. Microbiology requirements then include the following:

    • Microbiology monitoring of the environment (surfaces, air, workers hand, machines that are used in the cleanroom)
    • Bioburden before sterilization so that you know what is the microbiological load of your products to know which sterilization method to choose
    • Testing the sterility of your product after the sterilization

    All of this is stated in the following standard:

    • EN 556-1:2001 Sterilization of medical devices - Requirements for medical devices to be designated "STERILE" - Part 1: Requirements for terminally sterilized medical devices

    The microbiology laboratory for performing all this work must be accredited. It is stated in the MDR 2017/745, Article 106 - Article 106 – Provision of scientific, technical, and clinical opinions and advice – that the EU Commission designated the expert laboratories. Accreditation is one way how a laboratory can be designated.

    For more information, please see:

    • EU MDR Article 106 - Article 106 – Provision of scientific, technical and clinical opinions and advice https://advisera.com/13485academy/mdr/provision-of-scientific-technical-and-clinical-opinions-and-advice/

    • ISO 9000 and ISO 9001

      ISO 9000 never changed into ISO 9001.

      The first versions of ISO 9001 and ISO 9000 were published in 1987.

      ISO 9000:1987 was mostly about guidance in selecting and using ISO 9001, ISO 9002, and ISO 9003. In the year 2000, ISO 9002 and ISO 9003 were removed, and ISO 9000 absorbed the quality vocabulary standard ISO 8402.

    • Contract Review and Operational Planning

      Contract review was a language used by ISO 9001 until the year 2000 version. After contract review you have a contract signed, you know what are the client requirements. Operational planning implementation is about planning how to execute that contract. Things like:

      • Who will lead this contract?
      • What team will work there?
      • What machines and tools will be used there?
      • What materials need to be ordered to what dates?
      • What quality control plan to use?
      • What contract schedule to follow?
      • What monitoring to follow?
      • What invoice plan?

    • 17025 Accreditation for Electronic Test Laboratory

      Yes a laboratory can be accredited for electronic tests, either as a testing or calibration laboratory. This will depend on the service to be offered. I suggest you contact your accreditation body for further information on which programme will suit your scope of work. You can search for your national body ans others at https://ilac.org/ilac-membership/members-by-economy/

      For more information on ISO 17025 see ISO 17025 – Main guidelines at https://advisera.com/17025academy/what-is-iso-17025/

    • Is a Competitor an Interested party

      First, remember the purpose of determining interested parties is not to make the longest list of interested parties but to make the list of the most relevant interested parties.

      Second, please check Annex A.3 from ISO 9001:2015? Last paragraph: There is no requirement in this International Standard for the organization to consider interested parties where it has decided that those parties are not relevant to its quality management system. It is for the organization to decide if a particular requirement of a relevant interested party is relevant to its quality management system.

      In my opinion, I prefer to frame a particular competitor as an external issue in the organization’s context. However, I also see organizations including “competition” as an interested party. This approach becomes inconsistent when we determine competitors' requirements and expectations. The success of the quality management system does not depend on meeting their requirements and expectations. However, a particular competitor can represent a threat (negative external issue) that combined with the organization's weaknesses, and the interests of customers can result in a major risk.

      You can find more information below:

    • AML-ISO 27001

      I’m assuming that by AML you mean Anti Money Laundry.

      Considering that, ISO 27001 does not require AML to be implemented, and does not prescribe specific policies for AML, but by means of risk assessment and identification of applicable legal requirements (e.g., laws, regulations, and contracts), an organization can identify controls that can be used to develop policies and procedures for AML.

      For example, ISO 27001 has controls that can be used to monitor suspect/unusual activities (controls from Annex A section A.12.4 Logging and monitoring), help gather information from authorities and special interest groups (controls A.6.1.3 Contact with authorities and A.6.1.4 Contact with special interest group), and ensure proper validation of systems and technologies prior to deployment (controls A.14.1.1 Information security requirements analysis and specification A.14.2.9 System acceptance testing). 

      This article will provide you a further explanation about controls selection:
      - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

      These materials will also help you regarding ISO 27001:
      - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
      - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    • ISO27001 Lead Implementer Training

      1 - I recognize that the exam for the course provided by Advisera is "accredited" by Exemplar Global but there seem to be several ISO27001 Lead Implementer qualifications provided by and accredited by various companies. Are these qualifications benchmarked against each other to ensure they are the same level of detail/difficulty?  

      Unfortunately, at this moment our ISO 27001 Lead Implementer exam is not accredited, but we are in the accreditation process at this moment. As soon as this process is concluded our customers will be contacted.

      Considering accredited exams, you need to check if the accredited providers are certified against ISO 17024 – which provides general requirements for bodies operating certification of persons.

      Provided they fulfill this standard’s requirements, their certifications qualification levels are similar.

      These articles will provide you a further explanation about ISO 27001 personnel certifications:

      2 - Also, having passed the exam can you state you are an "ISO27001 Lead Implementer" or do you need to demonstrate some level of practice in the industry (in the same way as the CISSP and CISM qualifications) to an overarching body?

      I’m assuming that by overarching body you mean “certification body”, or a similar organization that is responsible for issuing the certification (like ISC2 for CISSP and ISACA for CISM). 

      Considering that, depending on the organization that is responsible for the exam, there may be other requirements to fulfill to be allowed to use the title "ISO27001 Lead Implementer". To know the specific detail you need to contact directly the exam provider.

      For Advisera's ISO 27001 Lead Implementer Course, there are no additional requirements but attending the workshop and passing the exam.

    • Who to audit during Top Management audition

      ISO 9000:2015 defines top management as “person or group of people who directs and controls an organization at the highest level”. Normally, auditing top management means auditing the member of the top management responsible for the quality management system (QMS). Auditing top management may mean auditing the owner of an organization, or the member of an Administration board responsible for the QMS.
Page 133-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +