Search results

Risk Assessment Table

You can create a single asset named "laptop" associated with all the common threats and vulnerabilities they face. In case you have risks specific to certain laptops, you can create additional assets, like "sales laptop" or "development laptop", and associate to them the specific threats and vulnerabilities.  
 
This article will provide you a further explanation about managing assets:  

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

By the way, included in the toolkit you bought, you have access to a video tutorial that can help you fill in the risk assessment table.

IT Security Policy

ISO 27001 does not prescribe how to write a document, so both approaches (to have two documents or a single one) are acceptable by the standard.

In this case, your decision should be based on how big and complex a single document would be because this can make it more difficult for people to read, understand, and use it properly.

To see how an Information Security Policy and Information Technology Security Policy compliant with ISO 27001 look like, please access the free demo of these templates:

• https://advisera.com/27001academy/documentation/information-security-policy/
• https://advisera.com/27001academy/documentation/security-procedures-for-it-department/ 
• https://advisera.com/27001academy/documentation/it-security-policy/

These articles will provide you a further explanation about how to develop documents:

• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
• One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
• What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 14001 sample selection and audit planning

"what questions to ask management when planning the audit?”

Answer:

ISO 14001:2015 requests top management example, commitment, and leadership. Think about auditing top management about management review, environmental policy and objectives, compliance evaluation results, context, risks, and strategic orientation. I wrote this article about the topic of auditing top management - How to perform an ISO 9001 audit of top management without fear - https://advisera.com/9001academy/blog/2019/05/15/iso-9001-top-management-audit-how-to-perform-it-successfully/ - perhaps it can be useful for you.

What system to use to select sample or anyone can just select sample he/she think is right?

Answer:

An auditor may choose between a statistical and a nonstatistical approach to audit sampling. Normally, during internal audits, you don’t need to follow a standard like ISO 28590 to determine sample size. You need to pick a sample not biased, for example, if you are auditing environmental practices of an organization that works 24 hours a day, the audit also the night shift. And you need to pick a sample size that gives you confidence for a conclusion. If you have 20 containers for segregating wastes, you don’t just check one to conclude that everything is OK or NOK.

You can find practical information in the links below:

• Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
• Free webinar on-demand - How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar-on-demand/
• You can also attend this free course – ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

ISO 9001 Internal Auditor qualifications

Does it mean the Certification body cannot raise any NCR during certification if the company internal audit was conducted via non-qualified auditors?

Answer:

Attention! Any certification body, and I as an auditor too, will raise an NCR during an audit if the company internal audit was conducted via non-qualified auditors.

Any organization has to use qualified auditors. Perhaps what is generating some confusion is: each organization has to determine what are its qualification requirements for internal auditors, and each organization has the authority to determine what is its competence requirements. Then, during the certification audit, organizations have to evidence that their auditors comply with the requirements.

The following material will provide you information about internal auditors:

• ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
• Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
• Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

Controls a.15.10.2 and a.13.2.4

In case the NDA identified in the SLA you have with your provider fulfills all your needs (you should confirm that with a legal expert, based on the results of risks assessment and applicable legal requirements), and is regularly reviewed, then this situation is compliant with requirements of control A.13.2.4 - Confidentiality or nondisclosure agreements.

Regarding control A.15.1.2 – the identification of the NDA in the SLA provided by the supplier is acceptable, but please note that you also need to verify if other relevant risks related to this supplier are also covered by security clauses in the SLA.

These articles will provide you a further explanation about supplier management:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

These materials will also help you regarding supplier management:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Lead Auditor Certification

You should ask this information from the certification body with who you plan to work with because it is the certification body that plans the audits you will be included in (e.g., you may be included in three audits in sequence or one audit per month, etc.). In general, a single certification audit may last between 3 to 5 days, depending on the size and complexity of the scope.  

For further information, see:

• How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
• What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
• ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

Data Protection for clients

The data protection policy is an internal document that shows how the company deals with personal data and it is not published in contracts, so maybe you are referring to clauses on data protection in your contracts (yes, you should have) or to a data protection agreement as an annex to contracts signed with clients or suppliers (it is required if the contract involve the transfer of data between the two subject). The privacy policy on the website, usually, describes how personal data collected through the website are processed, it may involve also data processing made by the company with personal data of clients (i.e., there is an online shop).Of course, if your privacy policy on the website describes how your company processes data of clients, employees, and suppliers, you can state in your contract that data are processed according to the privacy policy available on the website (remember to insert the link).

Here you can find more information about the privacy notice.

• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
• List of mandatory documents required by EU GDPR: https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/

If you need to understand how to process personal data under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Documented Information

Normally, those documents are issued over digital support. So, to control those documents you need to control the software that issues them. That way you don’t need to show identification numbers, revision and revision date.

By the way, you use the wording “external documents” please check this article - What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/

You can find more information below:

• How to include statutory and regulatory requirements in your QMS - https://advisera.com/9001academy/blog/2017/02/14/how-to-include-statutory-and-regulatory-requirements-in-your-qms/
• Free on-line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Questions related to accreditation and calibration

You asked

Once you attain accreditation for a lab can you also expand the accreditation to another premises? Would the lab tests being performed in the new premises have to be re-validated etc?

Accreditation is typically per site, so in that case each site would need a separate accreditation assessment. You could obviously share QMS documentation, but records , including MV would be required for each site. Alternatively, for some programmes the new premises could be accredited under a satellite program as falling under the quality management system of an accredited head office / reference laboratory. I suggest you confirm this with the particular accreditation body – it will depend on their policies and programme on offer.

You also asked

Is it ok to write a calibration due date on a calibration cert for a device we have calibrated? Do we need to write a disclaimer saying the calibration interval is determined by the customer? I've seen this on a number of ISO17025-accredited certificates.

It is not acceptable to specify a date and then state a waiver as described. ISO 17025 specifies that the calibration laboratory cannot document any recommendation on the calibration interval, unless agreed with the customer. This means if there is evidence of agreement, you can include the date. No waiver is applicable.

And you asked

we use a subfraction of an ISO 12103-1 standard dust for calibrating our dust monitors. Does this material need to be tested (particle distribution) by an ISO 17025 accredited laboratory? we have a particle distribution from a non-accredited lab for the material. I am concerned that as we are using it as a reference material we would need to have an accredited certificate of the particle distribution.

To answer this question ISO 17025 6.5 applies, as well as the policy of your accreditation body. As an example, see TPS 57 UKAS Policy on Selection and Use of Reference Materials (Edition 4, June 2020). Yes, you are right, as a calibration lab issuing a certificate with a reported measurement uncertainty, the material should ideally be certified to achieve that assurance. For example, in the UKAS TP57 they state UKAS recommends the use of accredited reference material producers and calibration laboratories where they exist. Basically, in a testing context this requirement may be less stringent as a testing lab would need to provide assurance that the results are traceable, along with a known Measurement uncertainty. This they in fact get from the calibration lab. The context is different if you are issuing a calibration certificate. I do suggest a call to your accreditation body to confirm this, before incurring additional costs. The link to TPS 57 is availabe form https://www.ukas.com/resources/publications/laboratory-accreditation/

Does Medicine Product Class 1 need Certificate from Notified bodies according to ISO 13485?

Regarding the certification of medical devices, we must separate two things: one is the certification of the quality system according to ISO 13485: 2016, and the other is the certification of products and the issuance of the CE mark according to the MDR.

Manufacturers of Class I medical devices do not need a notifying body for product certification. So, they themselves issue the Declaration of conformity and put the "CE" mark on their medical products, but the CE mark without a number (for example, they put the CE mark on the product, and not CE2460). 

Manufacturers of Class I medical devices need to prepare a quality system in accordance with ISO 13485 and be certified according to that standard.

For more information, please see the following:

• EU MDR – Easy-to-understand basics https://advisera.com/13485academy/what-is-eu-mdr/
• How can ISO 13485 help with MDR compliance? https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/