Search results

Does acceptance by exception by the customer must always be formalised by the supplier?

Let us use ISO 9001:2015 as our guide. After a non-conformity being detected, a supplier may decide to ask for a derogation by the customer. According to ISO 9001:2015, clause 8.7 the supplier must keep records evidencing that the customer authorized the derogation. There is no requirement about what kind of record is to be used. The supplier may use its own internal NC and ask the customer to use it for evidence approval, or the supplier may annex an e-mail from the customer to evidence that approval.

You can find more information about improvement in the following links:

• How to use quality control tools to improve your QMS - https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

IT Managed Service Providers

1. Is there an ISO certification we should look at?

Please note that ISO certifications are not mandatory by themselves, although some countries have established laws and regulations that are easier to be fulfilled by adopting them, and an increased number of customers are preferring ISO-certified organizations as suppliers because they consider such organizations are more capable to help them.

Considering that, you need to evaluate your legal environment and customers’ profile to see if an ISO certification is interesting to you.

Broadly speaking, IT Managed Service Providers, should consider the following certifications:

• ISO 20000: related to the management of IT services
• ISO 27001: related to the management of information security
• ISO 9001: related to quality management

These standards share many common requirements, so you can implement them in an integrated way.

These articles will provide you a further explanation about ISO standards:

• What is ISO 27000? https://advisera.com/20000academy/what-is-iso-20000/
• What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
• What is ISO 9001? https://advisera.com/9001academy/what-is-iso-9001/

This article can provide you a customer point of view (the same general concept applies to all ISO management standards):

• Why is it important for your hosting partner to be certified against ISO 27001? https://advisera.com/27001academy/blog/2019/07/02/iso-27001-for-hosting-companies-what-are-the-main-benefits/

2. What would be involved to get certified and what sort of costs would we expect?

After the implementation of documents and controls required by the specific standard, you need to make sure that everyone in the company is complying with documents, i.e., performing all the activities prescribed there. After that, you can work on selecting your certification body.

Our toolkit can help you with the implementation: 

• ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

These articles will provide you a further explanation about the ISO 27001 implementation process:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/2011/how-to-prepare-for-an-iso-27001-internal-audit/
• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

Regarding costs, without detailed information about the certification scope it is not possible to give you a precise answer, but broadly speaking, what I can tell you is that these are some cost issues you should consider:

• Training and literature
• External assistance
• Technologies to be updated/implemented
• Employee's effort and time
• The certification process

These materials can provide you more information:

• How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
• 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/2019/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
• How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

For the duration of the implementation:

• How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - Please note that this is the timing that is needed for companies that use our toolkits.

These materials will also help you regarding ISO 27001 project:

• ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 implementation

Besides our webinars, to support your ISO 27001 implementation in Advisera you can find:

• blog posts: https://advisera.com/27001academy/blog/
• free to download templates and whitepapers: https://advisera.com/27001academy/free-downloads/
• ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
• free to enroll online training courses: https://advisera.com/training/

Regarding specialists, you may consider a specialist in the ISO 27001 standard (with our toolkit this need is reduced to a minimum) and specialists in your core processes and technologies.

These articles will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Annex A controls

Besides information about specific controls in our blog (https://advisera.com/iso-27001/), and how to apply them, these materials may also help you:

• Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Annex A controls

Além de informações sobre controles específicos em nosso blog (https://advisera.com/iso-27001/) e como aplicá-los, esses materiais também podem ajudá-lo:

• Visão geral do Anexo A da ISO 27001:2013 https://advisera.com/27001academy/pt-br/knowledgebase/visao-geral-do-anexo-a-da-iso-270012013/

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Statement of conformity

Simply stated, measurement uncertainty cannot be ignored when it comes to conformity statements reported under accreditation. During contract review a laboratory must confirm with the customer that it can meet the requirements for accuracy and are able to perform the measurements. The issue of Measurement uncertainty must be discussed and evaluated to avoid the risk of false pass (acceptance), as the uncertainty could result in the measurement reported being larger than the specification, due to the uncertainty component,

If the expanded measurement uncertainty is smaller than the accuracy requirements of the regulators or client, then the agreed decision rule could, for example, be: “PASS” indicates that the test method conforms with the accuracy requirements of the testing standard. The expanded measurement uncertainty (k = 2 ,95 %  probability) is not greater than the accuracy requirements defined as <value>. You could also refer to a table.

For more information, refer to the ILAC guideline G8:09/2019 Guidelines on Decision Rules and Statements of Conformity available for download from https://ilac.org/publications-and-resources/ilac-guidance-series/ and refer to your accreditation body requirements. A good example of a guideline from an accreditation body is the UKAS Lab 48 Decision Rules and Statements of Conformity, available from hhttps://www.ukas.com/resources/publications/laboratory-accreditation/

ISO 27017

1 - They've asked if there's any way they can be certified, considering they're already ISO 27001 certified. I've been researching the topic for a while and i've only seen this type of compliance statement being given to Cloud service providers.

Answer: First it is important to note that ISO 27017 is not a certifiable standard (some certification bodies "certify" against ISO 27017, but only during an ISO 27001 or ISO 27701 certification processes, because ISO 27001 and ISO 27701 are the only certifiable standards in the ISO 27000 series).

Considering that, to be "certified" against ISO 27017 all an organization needs to do is to include the applicable controls related to ISO 27017 in its Statement of Applicability (of course, as a result of performing the risk assessment and risk treatment process) and implement the risk treatment plan also considering the ISO 27017 controls.

These articles can provide further information:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

2 - I wanted to ask if you have seen this attestation being requested and given to any company that is only a cloud consumer.

Thank you in advance for your attention!

Answer: Please note that ISO 27017 also has controls applicable considering the point of view of the customer, so cloud consumers also can request to be “certified” as explained in the previous question.

Monitoring and Measurement / Environmental Controls

Yes, you can reduce the number of sampling sites. It is recommended that you perform validation of that process, where you will analyze all data that you have collected so far and explain why is it justified to reduce the number of sampling sites.

For more information, please see the following link:

• Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/

• ISO 9001 Organization and stakeholders context analysis

  Please, check this free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - - where you can see examples of context and interested parties analysis.

  You can find more information below:

  • How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
  • How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• Forms meet AIAG standards

  The Automotive Industry Action Group (AIAG) quality initiatives include various association standards. I cannot tell from your question which standard you are referring too. An international standard for quality management in the automotive industry, IATF 16949:2016, is for example based on ISO 9001:2015. Regarding ISO 17025, the management requirements are the same as ISO 9001:2015. Basically, the international ISO standards have a common structure and requirements for document and record control, as well as data and information management.  

  Most industry standards are used in conjunction with other ISO standards, such as ISO 9001 and ISO 17025. The specific requirements will depend on the standard and application for a testing or calibration laboratory. I suggest you contact your accreditation body and find out the specific requirements for the accreditation programme associated with the automotive industry for testing and calibration laboratories.

  For more information on IATF 16949, see the Advisera academy https://advisera.com/16949academy/

  Regarding records, see the ISO 17025 toolkit document template: Document and Record Control Procedure at https://advisera.com/17025academy/documentation/document-and-record-control-procedure/

  Also have a look at the whitepaper Clause-by-clause explanation of ISO 17025:2017, available for download from https://advisera.com/17025academy/free-downloads/