Search results

Question regarding NDA

By your question, I’m assuming that control A.13.2.4 Confidentiality or nondisclosure agreements are applicable to your scenario.

Considering that, the answer to this question will depend on the laws and regulations applicable to your jurisdiction, so you should consider hiring local legal expert advice.

For example, some laws and regulations may require an NDA only from the outsourcer organization, or that this NDA must be extended to individual NDAs to their employees.

This article may provide you a start on applicable laws and regulations, but note that these references depend on the contributions of our reader, and some of them can be outdated:

• Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

For further information, see:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

ISO 14001 fundamental aspects for the implementation

If you want to implement an environmental management system (EMS) perhaps the following steps could be useful for an organization:

• Setup a project sponsor, a project manager and a project team. Determine the scope of the EMS. Ensure top management support, get training. Designing and implementing an environmental management system (EMS) implies being knowledgeable about ISO 14001:2015.
• As a first step determine environmental risks and opportunities, environmental aspects and impacts, and compliance obligations and the state of compliance.

• Then, determine significant risks and opportunities and significant aspects and impacts.
• Define an environmental policy and objectives. From there, it is implementation by developing action plans to improve the interaction with the environment.
• Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

Perhaps the following links can be useful:

• Free webinar on demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
• List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
• ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
• Project checklist for ISO 14001 implementation - https://info.advisera.com/14001academy/free-download/project-checklist-for-iso-14001-implementation
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ 

ISO 27000 and ISO 20000 - which to go first for?

 I’m assuming you are referring to personal certifications

Considering that, the order on which to pursue these certifications will depend on your needs:

• if your priority is to ensure the quality of IT services, then you should go first for ISO 20000 certifications.
• if your priority is information protection, then you should go first for ISO 27001 certifications.

Since you mentioned IT risk and compliance, the specific field of certification for you would be audit:

• ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISMS against ISO 27001 requirements and want to become certification auditor (and with this provides more confidence to an organization for being certified).
• ISO 20000 Lead Auditor – this certification recognizes people who have competency in auditing an ITSM against ISO 20000 requirements and want to become certification auditor (and with this provides more confidence to an organization for being certified).

These articles will provide you a further explanation about ISO 27001 and ISO 20000 personal audit certifications:

• What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
• Process to obtain ISO/IEC 20000 certification: Companies and individuals https://advisera.com/20000academy/knowledgebase/iso-20000-certification-the-process-of-obtaining-a-certifica/

For the ISO 27001 Lead Auditor Course, please see:

• ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

Technology to enforce and attest ISO 27001 controls

Please note that it is our policy not to make recommendations about technologies, but broadly speaking most solutions used in cloud environments (e.g., virtual machines and lead balancers, etc.) now have policy enforcement and activities monitoring capabilities, so you need to check with your provider which capabilities it can provide to you and if these capabilities are enough to fulfill your needs (based on the results of risk assessment and applicable legal requirements).

For further information, see:

• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

Records or Documents

Please note that documents describe rules to be followed and/or actions to be performed, whereas records evidence actions performed and/or results achieved. Additionally, documents can be updated, while records cannot (at most they can be complemented, i.e., new information can be added, but the original information cannot be changed).

Considering that, Risk Assessments are records (they evidence that risk assessment was performed and the assessed risks), as well as Risk Treatment Plans (they evidence which actions were performed to treat risks and achieved results). Since records cannot be updated, it only makes sense to apply version control on them if they can be complemented (in this case the information for version control can be the date of the last included complement). However, they need to have ways to be uniquely identified.

As records, they indeed need to have specific retention time, based on business and legal requirements.

This article will provide you a further explanation about record management:

• Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

These materials will also help you regarding record management:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Performance indicators for employee evaluation

ISO 9001:2015 sets no mandatory requirements to use performance indicators of an employee. So, if your organization wants to use them it is free to determine them. I can give some suggestions, linking performance of an employee to:

Performance of process indicators affected by the employee (process indicators are mandatory according to ISO 9001:2015)
Results of competence evaluation

The following material will provide you more information:

• How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
• How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• Please check this free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/  - how to relate processes and objectives
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Life Cycle Assessment

I recommend organizations to draw a flowchart with the main steps in the life cycle.

Then, design a table where the first column identifies the main steps. The other columns include topics like aspects, impacts, legislation or regulation related, legislation or regulation compliance situation, evaluation parameters and final result with decision upon significance.

Remember, ISO 14001:2015 uses the word "consider". So, the life cycle perspective implies the consideration of the material life cycle associated with products and services, not requiring a detailed assessment. Your organization should carefully determine which stages of the life cycle it can control or influence, which can vary widely depending on the context.

Please consider these sources of information:

• Lifecycle perspective in ISO 14001:2015 – What does it mean? - https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
• How does product life cycle influence environmental aspects according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

ISO 9001 Audit finding clarification

Sometimes I think the same. Sometimes I think there is a “political” use of the classification. As a general rule, you can follow that a major nonconformity is a situation where an organization:

Completely failed to fulfill a certain requirement.
Has a process that has completely fallen apart – rules are not followed systematically.
Has several minor nonconformities that are related to the same process or to the same element of the management system
If a certification mark is misused
If a minor nonconformity, raised during the previous audit, has not been resolved within the deadline – such a small nonconformity automatically becomes a major one.

You can find more information in the following links:

• Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
• Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ (includes a slide about the follow-up)
• You can enroll for free in this course - ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

Is ISO 13485 required by MDR?

Yes, you are right that MDR does not state that this should be ISO 13485. However, in Article 8 – Use of harmonized standards is stated that manufacturers must be in compliance with standards that are published in the Official Journal of the European Union. Currently available is the list published 17- 11-2017. On that list is more than 300 standards and the only standard that is covering the quality management system is ISO 13485:2016. That is why it is expected for the manufacturers of medical devices to have implemented ISO 13485:2016.

Of course, since there are a lot of standards on that list that have since been revised, it is expected that a new list of harmonized standards will be published after 26 May 2021, with regard to the full entry into force of the MDR.

For more information, see:

• EU MDR Article 8 – Use of harmonized standards https://advisera.com/13485academy/mdr/use-of-harmonised-standards/
• List of harmonized standards https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2020:090I:TOC

• Toolkit content

  The following documents may cover the documents you mentioned (you should consider seeing their free demo to evaluate if they can fulfill your needs):
  - Threat management policy and/or process: Incident Management Procedure https://advisera.com/27001academy/documentation/incident-management-procedure/
  - Policy and/or monitoring strategy: Security Procedures for IT Department https://advisera.com/27001academy/documentation/security-procedures-for-it-department/
  - Data management policy (rest, in transit and in third parties): Information Classification Policy https://advisera.com/27001academy/documentation/information-classification-policy/
  - Risk Impact Analysis (RIA): Risk Assessment and Risk Treatment Methodology https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
  - Crisis Plan: Business Continuity Plan https://advisera.com/27001academy/documentation/business-continuity-plan/

  For the remaining documents, they are not included in the toolkit because they are not commonly used in an ISO 27001 implementation, but in case you need to document them and find it difficult to write them by yourself, by buying the toolkit you will have access to support channels that you can use to clarify your doubts on how you should write them.