Search results

ISMS question about scope

Please note that the ISMS scope needs to include at least one physical location. In this case, this location can be the organization’s headquarter, or the team leader's home address.

These articles will provide you a further explanation about scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
  Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Test Report Validity

You asked

"Need help in validity of any test report [from date of issue]. Is there any standard practice to be followed for considering the validity of the Test Report?

The validity is about the results rather than the test report itself. ISO 17025 has requirements regarding the approval of results and content of the actually test report, as specified in clause 7.8 Reporting of result. This means the report must be compliant (meet requirements). The actual results (content of the test report) needs to be valid. The requirement regarding ensuring the validity of results is covered in clause 7.7; which together with the other requirements of ISO 17025 assures clients and the accreditation body of the laboratory’s competence to produce suitably reliable results – i.e. consistent, valid results.

The standard practice is to have internal (clause 7.7.1) and external (clause 7.7.2) quality control checks. Internally this would involve, for example the use of various blanks (e.g. reagent and sample blanks), running certified reference or quality control materials with each batch of test samples or after very say 10th sample; depending on the stability of the method. External Quality Control involves participation in proficiency testing or interlaboratory comparisons to compare performance with other laboratories. This is to control the risk of a bias.

You also asked

“What should a certification body consider if the historical test report submitted by the client is more than 5 to 8 years?"

The relevant issue is the test reports issued to clients by an accredited laboratory. The accreditation body, when auditing a laboratory for compliance for accreditation, would need to assess recent reports, typically not older than 3 months.

For more information on what is required for ISO 17025, read the whitepaper Clause-by-clause explanation of ISO 17025:2017 available for download from https://advisera.com/17025academy/free-downloads/ and preview the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ which cludes the Quality Assurance Procedure.  The procedure is also available separately at https://advisera.com/17025academy/documentation/quality-assurance-procedure/

IATF 16949 scope

If other parts are not included in your IATF 16949: 2016 document; Not audited for IATF 16949: 2016 standard. But if you want and if your automotive customer has an expectation;  you can expand the scope and get other parts to your certificate. 

For this, as you know you should inform your certification company in advance.
 

Gaining best skills as auditor

Every auditor should have the following skills:

1. Good knowledge and understanding about the area that he/she audit

2. Good communication skills, assertive, asking questions without inducement, asking open-ended questions

3. Critical thinking – auditor must be capable to step outside of own judgments and biases in order to consider all perspectives

4. Curiosity – to see details, to ask questions that are not maybe always logical

All of these skills can be obtained through work on yourself or some webinars and books.

More information regarding the internal audit for ISO 13485 you can find on the following links:

• Five main steps in the ISO 13485:2016 internal audit https://advisera.com/13485academy/knowledgebase/five-main-steps-in-the-iso-134852016-internal-audit/
• How to create a checklist for an ISO 13485 internal audit for your QMS https://advisera.com/13485academy/knowledgebase/how-to-create-a-checklist-for-an-iso-13485-internal-audit-for-your-qms/

• Scope confirmation

  First it is important that scope is defined in two different places - (1) in the ISMS scope document, where the specification needs to be much longer since you need to define what is in and what is out of the scope, and (2) in the scope sentence displayed on your certificate - that scope you need to define together with your certification body.

  Further, your suggested scope focuses on 'management of information security' which does not make much sense because this would mean that you want to implement security only for your security activities, and not support your regular/business activities and information.

  To see how an ISMS scope document compliant with ISO 27001 looks like, please access the free demo of our ISMS Scope document at this link: https://advisera.com/27001academy/documentation/isms-scope-document/

  These articles will provide you a further explanation about scope definition:
  - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
  - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  These materials will also help you regarding scope definition:
  - How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
  - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Information classification and labeling

  For this answer, I’m assuming that control A.8.2.2 - Labelling of information, is considered applicable in the Auditee’s Statement of Applicability.

  Considering that, please note that this situation needs to be considered in the context of the auditee’s procedures for labeling of information (ISO 27001 Annex A control A.8.2.2 - Labelling of information – requires procedures for information labeling to be developed and implemented).

  In case there is a documented procedure for information labeling (the control does not require related procedures to be documented), you need to check what this document defines regarding labeling of information requested for audit. If there is no documented procedure, you need to check additional evidence to understand the common practice (e.g., by interviewing other people to see if they share the same understanding regarding the labeling of information requested for audit).

  From this evaluation, you can decide if this situation is a common practice or if there is a failure to fulfill an expected behavior (i.e., a nonconformity).

  This article will provide you a further explanation about information labeling:

  • Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

  These materials will also help you regarding information labeling:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Benefits of asset-based approach

  To understand the benefits you need to see the risk assessment from the users’ point of view.

  For people that are not used to perform risk assessment, it is easier to remember an event that may affect them than a specific set of elements (i.e., asset-threat-vulnerability), so you can perform risk assessment faster, without worrying about longer training sessions, and get the most relevant events in the users’ point of view.

  This material will help you regarding risk assessment:

  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• Finding an auditor

  From your question is not clear if you are referring to an internal auditor or a certification auditor, so the answer will cover both situations.

  The “DIY with expert support” approach does not change the main points you need to consider.

  When looking for an auditor to perform an internal audit you should consider:

  • the knowledge about your industry
  • reputation
  • pricing

  We are not aware of specific jobs, boards, or professional associations of ISO 27001 internal auditors, so your best approach would be looking for them on professional social networks like LinkedIn, ISO 27001 security group on Google Groups, or organizations which issue certificates for information security professionals like ISC2 or ISACA.

  For further information, see:

  • Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
  • 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/

  When looking for an auditor to perform a certification audit you need in fact to look for a certification body, and for this, there are several factors you should take into account when selecting a certification body, please read this article:

  • How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

  The main certification bodies for ISO 27001 are:

  • BSI: https://www.bsigroup.com
  • Bureau Veritas: https://www.dnvgl.com/
  • DNV: https://www.dnvgl.com/services?ServiceTypes=136423
  • SGS: www.sgs.com/
  • TUV: www.tuv.com

  You can also find a proper certification body at this link: https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

  You can use this link to enter your profile, and we will find the certification body that best fits your needs.

• ISO 9001 Secondary review

  No, records should be reviewed by the function with the authority to do it. If we are speaking of records from the purchasing area perhaps your quality system determines that review for content and approval is made by a function in the purchasing department.

  During internal audits, auditors can audit records for content and approval.

  You can find more information about documentation below:

  • New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
  • Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• ISO 9001 QMS

  ISO 9001 in its latest version of 2015 does not require a quality manual. So, a quality manual is no longer mandatory. However, as a consultant working with organizations, I recommend developing a quality manual. 

  Since it is no longer mandatory, we are free to design its content. I recommend designing a document that presents the quality management system. Presenting:

  • your organization and its history
  • the scope of the quality management system
  • its quality policy
  • its model of working based on the process approach 

   In plain English would be something like:

  • Who are we?
  • To whom do we work?
  • What are our priorities?
  • How do we work? 

  The following material will provide you information about the quality manual:

  • The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
  • Free online training ISO 9001:2015 ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/