Search results

Starting with SOA

Please note that before you start SoA you have some work to do (e.g., definition of the ISMS scope, Information security policy, risk assessment, and treatment methodology, etc.).

Considering that, we suggest you follow the order of folders and templates provided in the toolkit, so you minimize the complexity of your implementation and risks of rework.

Once you have completed the templates needed to support the SoA, you will have a better understanding of how to be filing it. In short, to start documenting the Statement of Applicability you need to perform a risk assessment and risk treatment, to identify the relevant risks and controls (from ISO 27001 Annex A or other sources) you will implement to treat them. Additionally, you need to identify legal requirements (e.g., laws, regulations, and contracts) which require the implementation of specific controls.

For further information, see:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Additionally, included in the toolkit you will buy you will have access to a video tutorial that will help you to fill in the Statement of Applicability.

Modification planning

Thank's for your response.

Naming audits after upgrading to ISO 45001

If you are transitioning from OHSAS 18001 to ISO 45001 during this year’s audit, then this is an ISO 45001 certification audit even if you were partially through your 3-year cycle on OHSAS 18001. This audit will confirm all of ISO 45001 implementation, and is therefore not the reduced audit you will see in a surveillance audit.

You can read a bit more on the certification process in the whitepaper: What to expect at the ISO certification audit: What the auditor can and cannot do, https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit

ISO 9001 and financial problems during the pandemic

No, implementing a QMS according to ISO 9001:2015 is no bullet-proof vest against financial problems during pandemic Covid 19. However, I believe that having a QMS according to ISO 9001:2015 can help organizations in answer to the situation. In extreme situations, if your organization cannot operate due to mandatory shutdown from authorities, it is irrelevant being or not being ISO 9001 certified.

You can find more information below:

• Article - How to use ISO standards to address a pandemic - https://advisera.com/articles/how-to-use-iso-standards-to-address-a-pandemic/
• Free webinar on-demand - How to use ISO 9001 to control operations during the pandemic - https://advisera.com/9001academy/webinar/how-to-use-iso-9001-to-control-operations-during-the-pandemic-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Monitoring risk management

To monitor risk management, you want to evaluate how each of the four steps are performed:

• Determine risks
• Assess risks
• Mitigate risks
• Monitor results 

You can list all the relevant situations where your organization failed with risk management by considering performance results, for example:

• Complaints
• Defects
• Delays
• Higher costs
  … 

Each time any of these situations arrive, it is a signal that somewhere in our risk management methodology we failed. Then comes the need to determine the causes of those failures. For example, last week I worked with an organization that realized that its practice to determine risks during construction had to be improved. The person determining risks had no first-hand construction experience. So, instead of one person, they decided to use a small team.

You can find more information below:

• Free webinar on-demand – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//
• How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
• How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
• For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
• Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (I use a lot of examples based on the risk-based approach)

Imparting ISO 9001 implementation benefits

Show them the pain.

Normally, people don’t change because of rational explanations; people change through their heart. Can you show them compelling examples of things that go wrong and damage organizational reputation or financial situation? Then, can you show them how a QMS could make a difference in mitigating each of those examples?

You can find more information below:

• Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• What are the benefits of ISO 9001 for your employees? - https://advisera.com/9001academy/blog/2016/06/14/what-are-the-benefits-of-iso-9001-for-your-employees/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
   

Auditing methodology differences

There is no difference in terms of methodology between 1st, 2nd, and 3rd party audits. They all have to be prepared, executed, and reported according to ISO 19011 requirements.

You can find more information below:

• Please check this article - First-, Second- & Third-Party Audits, what are the differences? - https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/
• Free webinar on-demand - How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar-on-demand/
• You can also attend this free course – ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

Implementation of ISO controls

Please note that hidden risks can be related to:

• not considering, in the risk assessment, risks related to already implemented controls (such risks in general already have low values and are not considered for further treatment but need to be identified in the risk assessment).
• not involving all relevant personnel in the risk assessment (e.g., department manager, process owner, key user, etc.).
• people involved do not have proper training on how to perform the risk assessment.

Additionally, note that controls also can be related to legal requirements (laws, regulations, and contracts), and may need to be implemented even if there are no relevant risks.

If after considering these items you still find not enough controls related to risks or requirements, please note that typically smaller companies find 90 to 110 controls as applicable, whereas larger companies 105 or more, and some of these controls are marked as applicable only because organizations felt this was a logical decision (e.g., backup or passwords), and your organization can do the same. 

These materials will also help you regarding risk assessment:

• Step-by-step explanation of ISO 27001/ISO 27005 risk management (PDF) https://info.advisera.com/27001academy/free-download/step-by-step-explanation-of-iso-27001-risk-management 
• Asset List for ISO 27001 Risk Assessment (MS Word) https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

ISMS responsible and CISM

Please note that the ISMS responsible is a role an organization can create, or incorporate into an existing role, to cover at least these activities:

• ensure that the ISMS conforms to the requirements of ISO 27001
• report on the performance of the ISMS to top management.

As for CISM (Certified Information Security Manager), it is a certification issued by ISACA which evidences that the certification holder has a certain set of knowledge and experience on information security management, which goes beyond the requirements related to ISO 27001.

This article will provide you a further explanation about roles for ISO 27001:

• What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

These materials will also help you regarding roles for ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

17025 accreditation: cost benefit

You asked

What about higher income for 17025 accredited Cal's compared to non-accredited?  Do you happen to have a rough % of additional price that a lab can charge for an accredited calibration, compared to just a straight commercial cal with NIST traceability?

Pricing all depends on your sector, market (competition) and regulations. I cannot provide an idea of a price increase. What I can offer is some advise on how to proceed towards a decision to implement ISO 17025 and seek accreditation. Typically, to secure more business and a higher price, it will involve “selling” the added benefit to customers - the assurance of consistent, reliable results. If accredited, it is not just the word of the laboratory, but that of the accreditation body that provides the client with additional confidence. Providing a calibration with NIST traceability alone does not provide assurance that only competent personnel perform the calibration, and that all the other technical requirements are met.

Accreditation is often mandatory for calibration laboratories; however, if it is not; to help make the decision,  I suggest that the laboratory obtain a quote from their accreditation body and estimate the total cost of obtaining and maintaining accreditation each year. Then do a risk /opportunities analysis. Look at the financial risks and benefits. Consider first, the current income and number of calibrations, and what you would need to increase the price by, to just recover your additional costs. Then consider the reputational opportunity (benefit) - whether you may gain (or retain) customers. Another benefit to consider is reduced costs due to improved efficiency and fewer repeats. This may lead, for example, to an opportunity to increase the number of calibrations performed monthly. Then look at the rates charged by competitors.

Financial management for the organisation should be able to assist with a model to decide whether the additional cost of accreditation could be recovered, from a financial perspective. Then by effectively implementing and maintaining the system, cost savings and further income should be realized.