Search results

Multi-site certification and group certification

Multi-site or group certifications are possible for management systems, although they are not common across continents. The real determination is the applicability of the QMS rules and polices across the different locations, if this is too different then a multi-site certification can be difficult. The certification comes down to the scope identified for the QMS, and this scope can include one location or several, but as stated if the multiple locations are very different from each other in processes, products or services this can be difficult. Additionally, legal requirements may be different across locations on different continents.

It is also important to note that not all certification bodies will be willing to do a certification like this. To certify multiple locations, you will need all locations audited and this may not be possible or accepted for all certification bodies.

You can read a bit more on scope of the QMS in these articles from the 9001Academy which are applicable: How to define the scope of the QMS according to ISO 9001:2015, https://advisera.com/9001academy/blog/2015/10/13/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/ and Certifying different legal entities under one certification scope in ISO 9001, https://advisera.com/9001academy/blog/2018/03/27/certifying-different-legal-entities-under-one-certification-scope-in-iso-9001/

Conformio - setting up people and departments

For small companies (up to 50 employees) it is not critical that the project sponsor do not get directly involved with the project. This “no involvement” is normally defined because the project sponsor is often part of top management, and if he gets to involved with the project (i.e., acts as a project manager), this situation may end impacting his other functions.

In case the managing director (MD) has the necessary authority to solve problems that can make the project stuck, and make decisions to ensure project success, there is no problem for this role to be assigned as the project sponsor, instead of the chairman.

For further information, see:

• Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/
• RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/

Implementing the ISO 9001 standard for an Information Technology company

I am working on implementing the ISO 9001 standard for an Information Technology company. They do not have any in-house manufacturing of equipment or hardware. They only offer IT services such as Managed Services, Cybersecurity, reseller or Hardware, a reseller of Software, VoIP, Access control.

What clauses will be applicable for them in ISO9001?

Answer:

ISO 9001:2015 clause 8.5 is not only about manufacturing, it is about “Production and service provision”. So, 8.5 applies to service provision. It’s like a delivery services company being ISO 9001 certified.

While implementing ISO 9001 for certification, only clauses from section 8 can be candidates for classification as non-applicable. ISO 9001:2015 is a generic standard applicable to all kinds of organizations. The company:

• Has clients and consumers – clause 8.2 is applicable.
• If the organization has its management system scope closed. If the scope details all IT services provided then Clause 8.3 may not be applicable. If the organization has a general scope that can accommodate new services in the future, then Clause 8.3 is applicable.
• Buys resources - clause 8.4 is applicable.
• IT services are provided, quality must be controlled and non-conforming services must be treated - clauses 8.5, 8.6, and 8.7 are applicable.

Inside 8.5 typical candidates for non-applicability are:

• Subclause 8.5.3 – does the company works with confidential information provided by the client? Does the company install the software at the client’s premises? If a new version of software originates problems for the client, does the company is liable? If yes to one of these questions the clause is applicable.
• Subclause 8.5.4 – preservation seems not applicable at first sight but then look into the “NOTE”. You can find there the word “transmission”. What is that about? It is about how information is transmitted and protected, preventing risks of loss, tampering, and protection of information which may include property of the customer and supplier. There are examples of this information transmitted electronically such as electronic payments, mail, electronic files, computer files, information available on websites, etc.
• Subclauses 8.5.5 and 8.5.6 – include after-sales support and new versions

Also, do you have a toolkit that is specifically for IT industry?

Answer:

No, we do not have an ISO 9001 toolkit specific to the IT industry. However, support 1on1 is provided to clients. Perhaps, in your case, this tool kit “ITIL® AND ISO 20000 DOCUMENTATION” - https://advisera.com/20000academy/ used together with this free document - “ISO/IEC 20000-1:2011 vs. ISO 9001:2015 matrix” 
- https://info.advisera.com/20000academy/free-download/iso-iec-20000-1-2011-vs-iso-9001-2015-matrix?_gl=1*ud8gcr*_ga*MTI5NjM5NjM3LjE2MjcyOTkzOTY.*_ga_4P5GYSBRB2*MTYzMTAwMDYyNi4zMS4xLjE2MzEwMDIwNTQuNjA. This document is being updated according to ISO/IEC 20000-1:2018

While considering the use of ISO 9001 for software development activities, consider this support ISO/IEC/IEEE 90003:2018 - Software engineering — Guidelines for the application of ISO 9001:2015 to computer software - https://www.iso.org/standard/74348.html

• For more information about exclusion, the right ISO wording is applicability, consider the following:
• Case study: Design and development in the software industry - https://advisera.com/9001academy/blog/2017/02/08/case-study-design-and-development-in-the-software-industry/
• What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/
• Free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar/
• Enroll for a free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Receiving CE Mark

please go on

GSPR and IFU/manual

According to the Article 32. Safety and clinical performance must be performed only for implantable devices and for class III devices, other than custom-made or investigational devices. Therefore, this article and this requirement from GSPR are not applicable to you.  

ISO 27001 Lead Auditor exam - Doubts regarding a question

Thank you for that.

Nonetheless...

With regard to the question about owners to be assigned to each critical risk... 
Considering the fact that the question was structured in a way "Does each critical risk should have the owner assigned?" and not in a way : Does ONLY critical risk should have risk owner assigned?", if my response YES was marked as incorrect, I would like to  appeal to my exam results.

In both approaches to IS part of the exam I was missing only 6% to pass, which is basically 1 question probably.  And I had this question both times in it.

Could you please check and let me know if this can be somehow proceeded?

I will be grateful.

Can certified ISO 27001 Lead Auditor train and certify other people?

1. I was told a certified ISO 27001 LA can train and certify other people?

For ISO 27001 compliance purposes, a certified ISO 27001 Lead Auditor has recognized knowledge and skills that allow him to train other people.

Regarding certification, in theory, everyone can issue a certificate, but for the certificate to be recognized it should be issued by a trustworthy organization. 

A certification issued by a certified ISO 27001 Lead Auditor has limited recognition (normally it is recognized only by the organization he works for).

On the other hand, a certificate issued by an accredited training provider is often worldwide recognized.

In short, if your need for certification is only for internal purposes, a certified ISO 27001 Lead Auditor can issue that for you. In case you need a certification wildly recognized, you should look for an accredited training provider.

2. If true? is there a special certificate/training to be able to do this?

To become a certified ISO 27001 Lead Auditor you need to attend an ISO 27001 Lead Auditor course from an accredited training provider and be approved in its final exam.

In the link below, you can access the information about such a course:

• Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

These articles will provide you a further explanation about lead auditors:

• What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
• How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/

Applicability of employee data

It depends. Referring to your employees data you act as a Controller, who is the legal entity which defines means and purposes of processing of personal data. That imeans that the Company is free to determine how data will be processed.

If you are an EU Controller you have to apply GDPR for all your personal data processing no matter where data subjects are located. If you are not an EU Controller, and your employees are not located in the EU, then, you don't have to comply with GDPR.

Here you can find more information about the EU GDPR applicability:

• Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/
• How the GDPR could impact your HR department https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/

Changing risk scale in Conformio

ISO 27001 does not prescribe which scale to be adopted, so we adopted a 1-3 scale to make risk assessment simpler and practical (a 1-5 scale will involve more values and alternatives).

These articles will help you:

• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
• 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

By the way, the risk assessment process is also explained in this free online training:

• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Management Representative Role

While AS9100 clause 5.3 does not dictate exactly who is to be appointed the management representative, it does require that it shall be a specific member of the organization’s management, so appointing a non-management person does not meet this requirement. As for Pro’s and Con’s of using a someone who is very low-level management to this position I can’t think of any Pro’s, and the biggest risk is the ability to have the “organizational freedom and unrestricted access to top management to resolve quality management issues” as required by the standard. This would occur if the low-level manager did not have the organizational clout to ensure that managers who are senior to the representative will resolve quality issues to the satisfaction of the quality representative.

You can read more on the quality management representative in the article: Is the management representative still required in AS9100 Rev D?, https://advisera.com/9100academy/blog/2017/05/22/is-the-management-representative-still-required-in-as9100-rev-d/