Search results

Mudanças no documento

A política de dispositivo móvel não foi revista. Uma atualização apropriada da política de acordo com o contexto da sua organização requer a realização de uma avaliação de riscos de segurança da informação para identificar quais novos riscos relevantes surgiram, para que se possa identificar os controles adequados a serem aplicados.

Este artigo fornecerá mais explicações sobre a avaliação de risco:

• Avaliação e tratamento de riscos segundo a ISO 27001 – 6 etapas básicas https://advisera.com/27001academy/pt-br/knowledgebase/avaliacao-e-tratamento-de-riscos-segundo-a-iso-27001-6-etapas-basicas/

CAB

If a laboratory (the Conformity Assessment Body - CAB) performs sampling at the source, e.g a factory or river, to collect a sample for testing; only then does clause 7.3 Sampling apply. Another way of putting it is a laboratory is not responsible for sampling if the sample is taken by another party and brought in or delivered for testing. That is, clause 7.3 does not apply. The other party could for example, be either the production department, researchers or other clients. Typically laboratories will state in the Quality Manual that Clause 7.3 requirements of ISO 17025 are not applicable as they do not perform sampling,

There may be certain situations, where it is necessary, to meet Clients purpose of the test, for the laboratory to provide sampling and transport instructions or guidance to assist the client present a more representative, stable sample. This is to ensure the sample result is more representative of the source as a whole (e.g a drinking water well). The client should also be informed as to what information to record, like date of sampling. This is crucial information for the interpretation of many results. Once the sample arrives at the laboratory any sample splitting, aliquoting or handling is covered other the other technical requirements, including clause 7.4 Handling of test or calibration items.

For more information on the requirements of ISO 17025, download the free White Paper Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025

Documents required from support/CSM perspective

I’m assuming that by CSM you mean Customer Support Management.

Considering that, to be compliant with ISO 27001, besides the mandatory documents and records, to define which documents would be required, you would need to consider elements like:
- relevant risks
- compliance with legal requirements (e.g., laws, regulations, and contracts)
- company size
- process importance, complexity, and maturity
- number of people involved
- frequency of use

For example, regarding compliance with legal requirements, there might be a customer requirement to classify data exchanged through customer service which you would cover through Classification Policy, or there might be a regulation which requires the protection of customer personal data with encryption which you would cover through Encryption Policy.

This article will provide you a further explanation about which document to develop:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

This article will provide you information about ISO 27001 mandatory documents and records, as well as the most commonly used documents:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

Requirements to satisfy the requirements of ISO 27001?

To fulfill ISO 27001 requirements related to competence (clause 7.2), you need to identify which competencies are necessary for doing work that affects information security performance.

While the Security Awareness Training, GDPR e-learning, and training about policies and procedures most probably will fulfill part of the requirement, you need to check if more specific activities are required. For example, training on a specific technology used by your organization, or on a new process that needs to be implemented, like a disaster recovery process.

This article will provide you a further explanation about training and awareness:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

Compliance

If there are certified calibrators for the test method then you could provide the traceability that way. 

I suggest you contact the national accreditation body or preferred accreditation body and discuss what programme your work would fall under. Then you will know if you need to address traceabilty as a calibration test (i.e calibration lab) or equipment performance test (i.e a testing lab). At the same time, the accreditation body will be able to provide an estimate of the costs to apply for accreditation.

Then regarding your implementation costs, they will depend on your scope of work and whether you use a consultant or a toolkit. For more information have a look at my response to a similar question regrding costs; at https://community.advisera.com/topic/iso-17025-accreditation-2/. There are number of links there to assist with further.

Difference between working instructions and procedure

Firstly, note that procedure can be either documented or not whereas all work instructions are documented. A documented procedure could be a Standard operating procedure (SOP) or a Test Method. A SOP documents a higher level of information to standardise a full procedure. It covers who is responsible for what, what and how activities are carried out and a certain amount of operational detail, especially if there are no separate Work instructions as appendices / attachments. An example would be a SOP for a particular test. This type of SOP would typically include several steps and tasks, such as preparing the sample, calibrating the instrument, analysing the sample, and reporting the results.

A work instruction on the other hand is used to document the detailed steps of how to perform a particular task, for example how to perform a daily verification of a balance.  That said, bear in mind that documentation could include any media. Thus, a work instruction could be written out as text, a diagram, audio file or video; or a combination thereof. SOPs are typically written out as text, with diagrams and tables included.

Have a look at the following material where you can obtain more information about documentation structure:
ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation

Risk Assessment of Assets

Thanks for the quick reply, much appreciated 😀

Conformio expert question about asset and access mgmt processes

ISO 27001 does not require an asset management process to be implemented, only that an inventory of assets associated with the Information Security Management System (ISMS) is drawn up and maintained in case-control A.8.1.1 Inventory of assets is identified as applicable by the organization.

Considering that, Conformio enables you to draw up the list of assets during the risk assessment process by suggesting a checklist of potential assets you can find in your company.

For further information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

For access management Conformio provides you with the Access Control Policy document through which you define rules on which people can access which systems and with whose authorization.

For further information, see:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

Internal audit ISO 13485

No, Iso 13485Internal audit checklist responds only to the requirements stated in the ISO 13485:2016. Missing elements from the ISO 9001:2015 are the ones considering context, interested parties, and business risks. 

More information regarding the Internal audit checklist for ISO 9001 you can find on the following link:

• ISO 9001 Audit Checklist https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/

How it is constructed in our ISO 9001:2015 Documentation toolkit you can find on the following link:

• Internal Audit Checklist https://advisera.com/9001academy/documentation/internal-audit-checklist/

• Conducting Process audits /product audits /Internal audits

  1. With just inquiry/Sample order (before products approval) how can we conduct Process audits /product audits /Internal audits?

  All internal audits, according to IATF standard 7.2.3; should be done by competent auditors. The automotive process approach is essential in system audits. You may need to take internal auditor training for this. Production audits should be made for each shift and for each production process. In addition, it is necessary to be competent in the process of FMEA and control plan. You may need training in this. Product audits can be performed by employees who understand the technical drawing of the product and use measuring instruments.

  2. How can we monitor KPI?

  KPIs ''key process indicators'' on a monthly or quarterly basis, on a process basis; can be followed with excel tables.

  3. How can we conduct MRM?

  Every subject mentioned in IATF standard 9.3.2 and 9.3.2.1 should be reviewed with senior management and the team at least once a year. These meeting notes can be documented with either word or PowerPoint. It would be better if the decisions are documented with who, when, what to do, and the result format.