Search results

Supplier information security requirements

Please note that the supplier information security requirements are based on the results of risk assessment and applicable legal requirements, which are exclusive for each organization because they are related to their context and risk appetite.

For example, two organizations may have the same cloud provider, but because they have different risk appetites, a requirement for the less risk+tolerant organization may not be used by the more risk +olerant one.

Included in your toolkit there is a list of commonly adopted security clauses for suppliers and partners that can help you define your supplier information security requirements. This template is on folder 08 Annex A Security Controls >> A.15 Supplier Relationships

This article will provide you a further explanation about security clauses for suppliers:

• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

How Annex A controls relate to ISO 27001 Requirements

Requirement 6.1.3 “c” refers to a comparison between controls to be applied with those in Annex A, to ensure that no necessary controls have been omitted.

Requirement 6.1.3 “d” refers to the development of the Statement of Applicability (SoA), informing the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.

The full text of these requirements can be found in the ISO 27001 standard (https://www.iso.org/standard/54534.html).
Due to Intellectual Property rights, the standard is not included in the toolkit, but you can find some explanation about the requirements in this paper:

• Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001

Implementation ISO 13485 on making medical materials for medical laboratories

You can use it because ISO 13485 standard covers all necessary elements regarding the production; it guides you on how to best organize production, how to ensure that you know at all times what stage your product is at, how to ensure traceability (both raw-repro material and finished product) and the required purity. Regardless of the fact that ISO 13485 covers medical devices, this approach is acceptable for the production of any product.

However, please be aware that ISO 13485:2016 is standard for preparing quality management systems explicitly for manufacturers of medical devices. In section 3. Terms and definitions, in point 3.11 is described what a medical device is. A product may be a medical device if it has one or more of the following roles: diagnosis, prevention, monitoring, treatment, or alleviation of disease. Therefore, if your materials meet this definition (and the rest of what is written in point 3.11) then the materials for ISO 13485 are applicable. 

If you need more information what is ISO 13485:2016, please see following articles:

• What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
• How can ISO 13485 help manufacturing companies? https://advisera.com/13485academy/blog/2021/03/16/how-can-iso-13485-help-manufacturing-companies/
• How to get ISO 13485 certified? https://advisera.com/13485academy/iso-13485-certification/
• Checklist of ISO 13485 implementation and certification steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

• Document Control

  Besides the requirements you mentioned, the document control process also needs to consider appropriate:

  • identification and description
  • format and media
  • review and approval
  • control to ensure availability and suitability for use
  • protection

  This article will provide you a further explanation about document control:

  • How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

  This material will also help you regarding document control:

  • Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• SWOT analysis and management structure in ISO 9001

  “I want to understand the frame / process that is followed in creating an ISO management documentation - are you able to provide a structure.”

  In this article, you see the most common frame used to describe a quality management system (QMS) documentation - How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/

  It starts with the quality policy, the most high-level document in a QMS, continues with a quality manual, no longer mandatory with ISO 9001:2015, but still considered useful by most organizations to present a general description of the management system. For example, I recommend designing the quality manual based on the process mapping exercise of clause 4.4.1 b). Then come the procedures where we can describe what is done in the QMS, by whom, and when. When it is needed a more detailed description about how to do something in the QMS we use work instructions. At the base, we have forms that, once filled in, become records. We have also other records not generated by filling a form. For example, an e-mail sent by a customer with a complaint becomes a record.

  Procedures and work instructions are not mandatory. Please check clause 4.4.2. Each organization can consider a list of topics when thinking about what procedures are needed or not. Consider that procedure may be useful or needed because of:

  • The complexity of tasks – complex tasks are more prone to errors and mistakes;
  • Staff rotation – if staff rotation is high, people have not much experience and a procedure that someone can use as a guide in case of doubt is very useful;
  • Staff training – if staff training is very poor
  • Performance – if performance results show a bad performance perhaps procedures can help people in their work
  • Complaints – a particular case of performance
  • Requirement – if a law, or a standard, or a contract requires a procedure.
     

  “Also, I liked that a SWOT analysis is carried out.  Is a SWOT always carried out?"

  Carrying out a SWOT analysis is not mandatory. So, organizations may not use it. In this free webinar-on-demand, I show how the SWOT analysis can be used - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar/

  You can find more information about context, documents, and records below:

  • How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
  • List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
  • New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
     

• Conformio risk register, confused by some of the threat mappings for Human Resources

  Please note that the mentioned threats (Earthquake / Fire / Flood / Storm) can cause injuries on employees (making them unable to work), or preventing them from reaching the workplace, and if there is no replacement person to perform activities the business will be negatively impacted.

  This article will provide you a further explanation about matching assets, threats, and vulnerabilities:

  • ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

  This material will also help you regarding matching assets, threats, and vulnerabilities:

  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

• Clause 8.5.4 Preservation

  Sometimes to ensure product or service conformity organizations must control and prevent situations that lead to deterioration, loss, theft, end of validity, tampering, and so on.

  For example, raw materials while at a warehouse may be deteriorated due to high or low temperatures, or the level of humidity may be lost due to animal contamination or mixing with other substances. During manufacturing, dust or other types of contamination may generate product nonconformities. The finished product may be lost because temperature and humidity are not controlled, or handling is not well suited (remember the warning phrase “Fragile” in packaging). Finished products may also be lost due to bad practices at the warehouse, new batches are shipped before old batches until validity time is run-up.

  For example, at a restaurant consider temperature and contamination control to avoid food deterioration. An IT service provider considers measures to preserve the server’s performance. A university considers what should be done to ensure that exams are not disclosed.

  So, in your organization’s case look for situations like these and think about what should be done to prevent them.

  You can find more information below:

  • ISO 9001:2015 clause 8.5 Product realization – Practical examples for compliance - https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• Linking the external/internal issues and interested parties to the risk and opportunities

  ISO 27001 does not require an explicit identification/link between external/internal issues, interested parties, risks, and opportunities, so this issue is not a certification requirement.

  The standard only requires that external/internal issues, interested parties are determined.

  These articles will provide you a further explanation about internal/external issues and interested parties:

  • How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
  • How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
  • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

• Needs and Expectations of Interested Parties

  If you investigate Annex A.3 from ISO 9001:2015 you can read in its last paragraph:

  “It is for the organization to decide if a particular requirement of a relevant interested party is relevant to its quality management system.”

  So, determining the needs and expectations of a particular interested party is not an exercise to be done in the abstract. It must be grounded on each organization’s reality and its purpose and strategic direction. Two similar organizations on the outside, due to different strategic orientations may hope to work and satisfy different segments within a generic group of interested parties.

  
  Some examples can be:
  Investors

  • Want to get a return on their investment
  • Want reliability of external context
  • Want reliable and frequent information

  Regulators

  • Want that compliance obligations are dully communicated and respected

  Your list is very long, and I cannot provide detailed information here. Remember, ISO 9001:2015 uses the word determine, not the word identify. Identify means that they exist independently of the observer, and the observer's work is to find them. Determine means that the observer, considering strategic orientation and context, decides what is relevant. It is a management decision, not a technical decision.

  
  Please, check this free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar/ - where you can see examples of context and interested parties analysis.

  
  You can find more information below:

  • How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
  • How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• The best simplify way of carrying out ISO audit

  I gather you are referring to an ISO 17025 internal Audit?

  In that case, the person performing the audit needs to know what the Scope of work is (what tests or calibrations are accredited, is sampling included etc) and what processes are involved. Thereafter the audit criteria (the requirements being assessed) need to be documented. The simplest way to achieve this is to use a suitable checklist. This could be your own checklist based on the ISO 17025, however the most straightforward approach is to use the accreditation bodies checklist (which they use for their assessments) or the Advisera toolkit. Witnessing and vertical assessment should also be performed.

  For further information see the article ISO 17025 technical internal audit: The basics

  at https://advisera.com/17025academy/blog/2020/11/10/iso-17025-technical-internal-audit-the-basics/

  The following will provide more information:

  ISO 17025 document template: Internal Audit Procedure at https://advisera.com/17025academy/documentation/internal-audit-procedure/

  The Five Internal Audit Procedure appendices Internal Audit Program, Internal Audit Checklist, Audit Nonconformity Report, Internal Audit Process Checklist and Internal Audit Report available separately from the procedure link above; or included in the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/