Search results

Verifying stage 1 audit

The main purpose of the stage 1 audit is to verify whether your environmental management system is designed and compliant with the requirements of the standard. Anything can be audited in terms of documentation. Stage 1 audits are not for auditing implementation. So, do not expect stage 1 audit to go audit operations, for example.

Documents to be reviewed during this stage of the audit are all the documents that belong to the scope of your management system, this includes documents required by the standard itself and the ones that the organization determined as necessary for effective maintenance of the management system.

For more information, see:

• List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Frequency or Environmental Legal audits as per ISO 14001 standard

Please check this picture:

ISO 14001:2015 requires that an organization determines its compliance obligations and keep them updated (clause 6.1.3). ISO 14001:2015 requires that an organization periodically evaluates its compliance obligations status.

For both of these activities, ISO 14001:2015 does not recommend any particular frequency. It is up to each organization to determine the most suitable frequency. Some economic sectors and some countries are more prone to legal changes than others. Each organization determines its frequency and can evaluate its effectiveness by checking if between consecutive determinations many changes are found.

Besides these clauses, ISO 14001:2015 requires that an organization audits its environmental management system at least once a year (actually, ISO 14001:2015 does not set the yearly requirement, the early requirement is set by the certification bodies in their contract with organizations.

Please consider the following information:

• What is evaluation of compliance and how to do it according to ISO 14001? - https://advisera.com/14001academy/blog/2020/12/01/what-is-evaluation-of-compliance-and-how-to-do-it-according-to-iso-14001/
• Environmental performance evaluation - https://advisera.com/14001academy/blog/2015/07/06/environmental-performance-evaluation/
• How to perform communication related to the EMS - https://advisera.com/14001academy/blog/2015/08/31/how-to-perform-communication-related-to-the-ems/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Document and record control procedure means what are the procedure will include?

Document control involves ISO 17025 mandatory documents as well as those you develop. It is not just about the unique identifiers (document name, number) and revision number. The purpose of document control is that plus to make sure the correct documents are in use, obsolete version are taken out of use. Furthermore, to make sure all documents are reviewed periodically and have been approved.

For more information see

a similar question at https://community.advisera.com/topic/document-control-6/
the ISO 17025 toolkit document template: Document and Record Control Procedure at https://advisera.com/17025academy/documentation/document-and-record-control-procedure/
the article List of mandatory documents required by ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/08/30/list-of-mandatory-documents-required-by-iso-170252017/
the whitepaper Checklist of mandatory documents required by ISO 17025:2017 available from https://advisera.com/17025academy/free-downloads/

ISO 27001 and ISO 20000 certification

Please note that ISO 27001 and ISO 20000 have different objectives, and core requirements, so only one of them is not enough to fulfill the criteria for both certifications. However, they share many requirements, which makes implement them together easier.

Now, regarding the necessity, this only can be evaluated based on your organization’s strategies and objectives. For example, if your core business is related to the provision of IT services and you have a clear demand for information protection, then both certifications would help.

These articles will provide you a further explanation about ISO 27001 and ISO 20000 integration:

• How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
• How to implement integrated management system https://advisera.com/articles/how-to-implement-integrated-management-systems/

These materials will also help you regarding ISO 27001 and ISO 20000 integration:

• How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/
• ISO 27001 vs. ISO 20000 matrix (PDF) https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-20000-matrix

Can CE agency also recognize the same 13485 standard?

If I understand your question correctly, you are asking do notify bodies to recognize standard ISO 13485:2016 as a quality management standard. 

According to the MDD, all manufacturers must be in compliance with applicable harmonized standards. Harmonized standards are standards published by the European Commission in the Official Journal of the European Union. On that list, ISO 13485 is the only standard that covers the quality management system. 

Considering the MDR, there is still no list of harmonized standards published that will answer MDR requirements. It is expected that a new list of harmonized standards will be published by May 2021. Therefore, ISO 13485:2016 is still not harmonized to the MDR.

For more information, please see the following articles:

• What are EU harmonized standards? https://advisera.com/13485academy/blog/2020/06/12/what-are-eu-harmonized-standards/
• EU MDR Article 8 – Use of harmonized standards https://advisera.com/13485academy/mdr/use-of-harmonised-standards/

• Information security objectives

  Let´s evaluate it considering S.M.A.R.T. concepts:

  • Specific (target a specific area for improvement): This aspect is covered by the text “Define and establish the general guidelines of information security in the company,…”
  • Measurable (quantify or at least suggest an indicator of progress): it is not clear how it can be measured (e.g.: Define and establish how many guidelines?). Here you can use, for example, “Define and establish the general guidelines of information security in the company based on ISO 27001 standard,…”, because by using the standard as a reference you will be able to measure progress (e.g., how many items were covered?)
  • Achievable (state what results can realistically be achieved, given available resources): This one cannot be properly evaluated without knowing your context (this is a subjective evaluation by your top management, normally considering the measurable objective and the proposed deadline).
  • Relevant (how it impacts the business): It is not clear how this objective can benefit the organization (e.g., a decrease of quantity and/or impact of incidents, increase in productivity or competitiveness, etc.).
  • Time-related (specify when the result(s) can be achieved: It is not clear when the objective must be achieved (e.g., by the end of the year, by the end of the semester, etc.)

  These articles will provide you a further explanation about Objectives in ISO 27001:

  • ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
    Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

  These materials will also help you regarding Objectives in ISO 27001:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Model of safety dashboard

  I’m assuming you are referring to a security dashboard.

  Considering that, ISO 27001 does not prescribe the development of dashboards, only that objectives be defined. 

  To build information security indicators I suggest you see these materials:
  - Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
  - Measurement Report https://advisera.com/27001academy/documentation/measurement-report/

  These articles will also help you:
  - How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
  - ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

   This material may also help you:
  - Measurement Report https://advisera.com/27001academy/documentation/measurement-report/

• Mandatory Documents

  Please note that regarding controls from Annex A, you can have 3 scenarios:
  1) The control is not applicable – in this case do document needs to be written

  2) The control is applicable and the document related to the control is mandatory – the control requires activities to be performed and documented, so a document needs to be written
  3) The control is applicable and the document related to the control is not mandatory - the control requires activities to be only performed, so no document needs to be written, it can be implemented only through performing activities

  The scenario 2 is the case for the documents related to the controls listed in the mandatory documents. If those controls are identified as applicable, you need to develop the related documents, or you will not be compliant with the control.

  These articles will provide you a further explanation about ISO 27001 controls:
  - A quick guide to ISO 27001 controls from Annex A https://advisera.com/27001academy/iso-27001-controls/
  - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  These materials will also help you regarding ISO 27001 controls:
  - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Approaches to meet ISO 27001 requirements

  I’m assuming that your question is about the implementation steps of your purchased toolkit.

  Considering that, you need to follow the steps from the toolkit, i.e., implementing the documents in the order of presented folders and documents, and to ensure people are mature in the ISMS process you need to make them aware that they need to comply with all policies and procedures. 

  These materials will also help you regarding ISO 27001 implementation:
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
  - How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
  - Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
  - ISO 27001 Documentation Toolokit https://advisera.com/27001academy/iso-27001-documentation-toolkit/
  - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

• Risk assessment question

  1 - But if that vendor was left outside of the scope, would they still be part of the risk assessment? Would it still come up?

  Answer: Please note that vendors must be included in the risk assessment if they can influence the confidentiality, integrity and availability of information within the scope - e.g. Amazon AWS (external vendor) can influence the data on the virtual server (that is included in the scope), therefore it needs to be included in the risk assessment. 

  For further information, see: 
  - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  2 - My concern would be that if we depend on a vendor to provide a secure service, but it's not in our control so we leave it out of our scope, how would we consider and manage it? Sounds like a loophole. 

  I suppose we shouldn't want to leave a vital process outside of our control to begin with, but am still wondering if there could be a loophole there... 

  Answer: When some of your processes are handled by vendors, you can ensure control over them by defining proper information security clauses in the contracts signed with them, or by evaluating if their offered service agreements have all the clauses you need to ensure your information is protected.

  For further information, see:
  - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
  - Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

  3 - I get why a scope has to be chosen early, but if the risk assessment comes after the scope, it just seems to me that a vital asset or vulnerability could be left out of consideration. Which would mean a different risk management framework would be needed apart from ISO 27001?

  I might be going down the rabbit hole here. I really appreciated the webinar and guidance so far! It has helped me out a lot so far.

  Answer: First is important to note that organizations may adopt risk management approaches that do not make use of assets and vulnerabilities (e.g., because they use a process-based, or scenario-based, risk assessment).

  Considering that, if the scope is properly based on the organizational context, legal requirements, and interested parties, it is unlikely, when using the asset-threat-vulnerability risk assessment approach, that relevant assets or vulnerabilities will be no be identified. In case this occurs, you should review your initial assumptions about the scope, so there is no need to use a different risk management framework.

  These articles will provide you a further explanation about context identification:

  - How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
  - How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
  - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

  These materials will also help you regarding ISO 27001:
  - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/