Search results

Audit report

The common practice is to gather robust evidence to support the findings (i.e., concrete evidence of the observed facts and that defined requirements and/or plans are not being fulfilled) and keep constant communication with top management during the audit process (e.g., meet with them at the end of each audit day). Keeping information flowing is the best way to prevent top management from being surprised by the results of an audit.

For further information, see:

• 7 ways to improve the internal audits of your ISO 27001 ISMS https://advisera.com/27001academy/blog/2017/08/28/7-ways-to-improve-the-internal-audits-of-your-iso-27001-isms/

12.7 Internal systems audit considerations

The audit documentation included in the toolkit can be used for the general planning and agreement on how to audit operational systems (by using the Annual Internal Audit Program template) and the record of results (by using the Internal Audit Report), but please note that the detailed plan cannot be developed on these documents.

For the detailed plan you can use a 5W2H table, or the Risk Treatment Plan, located in folder 07 Implementation Plan, template as a base document.

Managing impartiality

Impartiality is the presence of objectivity. In the  context of the owner being the lab manager this means that through the recruitment and management of personnel, taking on and dealing with external providers of services and clients , the manager /owner needs to show awareness of impartiality risks, commitment and fair unbiased behaviour.  This is to ensure that the outcome or result of an activity is not compromised by a situation or action of the owner.

Have a look at the article How to ensure impartiality in an ISO 17025 laboratory at https://advisera.com/17025academy/blog/2020/10/12/ensuring-impartiality-in-an-iso-17025-laboratory/ for further guidance.

Meeting requirements for impartiality is about firstly structuring the organisational responsibilities and management to safeguard impartiality, then identifying and eliminating impartiality risks on an ongoing basis.

An independent auditor is essential and appointment of a (contract) independent quality manager would be a good mitigation of this risk. This is the best approach by having an organisational structure that safeguards and avoids any conflict of interest all risk to impartiality.

The managers commitment to safeguarding impartiality must be aligned to the objectives of the laboratory. This can be shown through a statement in the quality policy, ongoing discussions about impartiality with personnel, performing risk assessments and discussion in Management reviews.

Lastly, it  is essential to have a positive culture about quality so that personnel reporting to the manager are given the responsibility and authority to safeguard the quality and objectives of the laboratory. If for example, the owner decides to procure inferior quality reagents from a family member, this is an obvious risk to impartiality and risk to the quality of the laboratory results. In this case independent people (personnel and/or contract Quality manager) should be responsible for review of client contracts and new supplier and should be able to bring it to the owner / manager without any consequences.

The ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ may also be useful.

IATF Requirements

During the incoming inspection of the product, the features of the part according to the technical drawing should be checked. These are both size checks and visual checks. For example, controls such as color, burrs, deformation, and rust are visual controls.

If such features are specified in the technical drawing, visual checks should be made during incoming inspection. 

Smart devices

You can find a lot of useful information on the ENISA site: https://www.enisa.europa.eu/

For this specific need, you should take a look at ENISA’s control map at this link: https://www.enisa.europa.eu/topics/incident-reporting/for-telcos/guidelines/technical-guideline-on-minimum-security-measures/metaframework

Other useful information:

• https://www.enisa.europa.eu/publications/guideline-on-security-measures-under-the-eecc
• https://www.enisa.europa.eu/publications/5g-supplement-security-measures-under-eecc

Incident Management

While ISO 27001 only defines one objective for information security incident management, and seven controls that can be applied, it does not specify processes or activities to be performed. ISO 27035 defines detailed phases to be considered:

• Plan and prepare
• Detection and reporting
• Assessment and decision
• Responses
• Lessons learned.

The incident management procedure template included in the Iso 27001 toolkit presents a simple way to cover these phases in a general level to fulfill Iso 27001 requirements (where details related to the specific organizational context are needed, they are identified by comments in the template).

In this link, you can find more information about this standard: https://www.iso.org/obp/ui/#iso:std:iso-iec:27035:-1:ed-1:v1:en

Risk owner problem

Thank you!

ISO 22301 toolkit - audit procedure

Please note that ISO 22301 does not require clause 6.1 (Actions to address risks and opportunities) to be documented. Since they are related to the implementation of the BCMS, such actions are considered in the project plan, located in folder 01 Preparation for the Project.

Items related to clause 6.2 of ISO 22301 are covered in the template “Preparation Plan for Business Continuity”, located in folder 06 Business Continuity Strategy.

10.3 Appendix 3 Internal Audit Checklist

In case you are implementing only ISO 27001, you can exclude the references to ISO 22301 from your internal audit checklist. A certification auditor will not look for compliance against ISO 22301 if it is not part of the certification scope.

The checklist for ISO 27001 contains all necessary information to cover requirements related to cover continuity of information security in questions related to controls from section A.17.

This article will provide you a further explanation about building a checklist:

• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

For further information, see:

• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Key management template

Please note that control A.10.1.2 is covered in the template Policy on the Use of Encryption, located in folder 08 Annex A Security Controls >> A.10Cryptography

Included in your toolkit there is a List of documents file which will show which controls and clauses of the standards are covered by each template

This article will provide you a further explanation about key management:

• How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/