Search results

Internal audit duration

First, consider the scope of the audit. Will you audit one or more processes? Will you audit one or more departments or teams?

Then, study the audit criteria (ISO 9001:2015 clauses applicable within the scope, procedures, instructions, …). While studying the audit criteria start listing the questions that you want to make to whom, start listing what you want to see and where to think about the sample size that you should consider to later support your audit conclusions.

After this, you should have an idea about the time needed for each stage in your audit, considering the number of questions to ask and to whom, what you want to observe, the sample size, the number of records you want to check. Normally, 20 minutes is the minimum I take for each stage, and 1 hour the maximum.

You can find more information below:

• Article - ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
• Webinar - Free webinar on-demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
• Free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

Document ID

ISO 9001:2015, clause 7.5.2 a), invites each organization to determine a document identification methodology, it gives some examples but does mandate a particular solution.

Without seeing the different types of documents and where are they located in document structure as presented in this article - How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/ - it is not very easy. The point is, your organization can design its own way for each kind of documents: a name, a code, a number. Isolated or linked to processes, to departments, to lines of business.

You can find more information about documentation below:

• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Record management procedures

Records are the memory of an organization. Organizations without records, or missing records, or not knowing where to find them, are organizations with learning problems.

This is mainly treated in ISO 9001:2015 clause 7.5.3:

In the following diagram, I organize a set of questions to ensure records management.

You can find more information about records below:

• How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

ISO 9001 Implementation and scope

what department to start the implementation?

Answer:

There is no technical answer to this question.

Normally, I like to start with a process (includes more than one department) that rapidly brings performance improvements. For example, for a manufacturing company, starting with a process like “Supply materials” (evaluate and qualify suppliers, order materials, receive and control materials, store materials, supply materials), may bring more confidence, more control, and show measurable gains.

Sometimes I have the opportunity to start with top management clauses and processes. Normally, when top management is really committed to the management system.

what the scope should cover?

Answer:

There is no technical answer to this question.

Deciding on the scope of a quality management system (QMS) is a management decision. For example, a hotel:

A hotel may develop a QMS just for the hospitality part, and just for travel agencies, not for treating individual guests.

You can find more information below:

• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
   

Signing electronic documents

In the TITLE 21--FOOD AND DRUGS CHAPTER I--FOOD AND DRUG ADMINISTRATION DEPARTMENT OF HEALTH AND HUMAN SERVICES SUBCHAPTER A – GENERAL, Part 11 Electronic records, electronic signatures is stated that c) Where electronic signatures and their associated electronic records meet the requirements of this part, the agency will consider the electronic signatures to be equivalent to full handwritten signatures, initials, and other general signings as required by agency regulations, unless specifically excepted by regulation(s) effective on or after August 20, 1997.

For more information, see:

• CFR - Code of Federal Regulations Title 21 https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11&showFR=1
• Part 11, Electronic Records; Electronic Signatures - Scope and Application https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application#iiic

• IATF 16949 People engagement

  As you know, the involvement of top management is important for the IATF 16949: 2016 standard, and there are many requests in clause 5 specifically on this issue. 

   

  I can suggest a few methods to get senior management involved.

  • First of all, you can plan IATF standard training for top management.
  • By meeting with senior management from time to time, you can give feedback on the company's quality status, weak points, and improvement suggestions. You can even ask for help in assigning tasks to him at these meetings.
  • If you hold monthly meetings with the senior management and management team to review the main goals of my company, it will be important in terms of participation.
  • You should include senior management in the program in internal audits.
  • In external audits, you can ask him to help him present the company's strategic plan, main risk analysis, management review result.
  • It is useful to periodically share the improvement studies and their gains with the senior management and team.
  • From time to time, the participation of senior management can be increased with external consulting support.
     

   

• Classification of digital information

  ISO 27001 does not prescribe a way to classify information, so organizations can adopt the scheme which best fits their needs. The adopted scheme only needs to be aligned to perceived risks and applicable legal requirements.

  Considering that, first you need to identify which legal requirements (e.g., laws, regulations, and contracts) and relevant risks, related to information confidentiality, integrity, and availability, are applicable to your context.

  In general, information is classified in terms of its confidentiality, and an example of classification would be:

  • Confidential (only specific people can access information)
  • Restricted (only people who work in the town hall may have access to information)
  • Public (information can be accessed by anyone)

  Note that, if integrity or availability are relevant aspects to be taken into account, the classification scheme will be changed.

  Please note that in case confidentiality or integrity are relevant aspects to be taken into account, the classification scheme will change.

  So, you need to understand the needs of the prefectures to define the best classification scheme for them.

  This article will provide you a further explanation about information classification:

  • Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

• Classificação da informação digital

  A ISO 27001 não prescreve uma maneira de classificar as informações, assim as organizações podem adotar o esquema que melhor atenda às suas necessidades. O esquema adotado só precisa estar alinhado aos riscos percebidos e aos requisitos legais aplicáveis.

  Considerando isso, primeiro você precisa identificar quais requisitos legais (por exemplo, leis, regulamentos e contratos) e riscos relevantes, relacionados à confidencialidade, integridade e disponibilidade das informações, são aplicáveis ao seu contexto.

  Em geral informações são classificadas em termos de sua confidencialidade, e um exemplo de classificação seria:

  • Confidencial (apenas pessoas específicas podem ter acesso a informação)
  • Restrita (apenas pessoas que trabalham na prefeitura podem ter acesso a informação)
  • Pública (informação pode ser acessada por qualquer pessoa)

  Observe que, caso a integridade ou disponibilidade sejam aspectos relevantes a serem levados em consideração, o esquema de classificação será alterado.

  Portanto, você precisa entender as necessidades das prefeituras para definir o melhor esquema de classificação para elas.

  Este artigo fornecerá mais explicações sobre a classificação das informações:

  • Classificação da Informação de acordo com a ISO 27001 https://advisera.com/27001academy/pt-br/blog/2014/05/14/classificacao-da-informacao-de-acordo-com-a-iso-27001/

• Specific legal requirement/protection by implementing ISO 27001

  Please note that ISO 27001 was not designed to fulfill any specific legal requirement. It was developed based on globally recognized market practices for the protection of information, but its practices are so widely accepted and used that they can help fulfill most of the general aspects of laws and regulations around the world.

  These articles will provide you a further explanation about how to use ISO 27001 to comply with legal requirements:
  - Comparison of HIPAA compliance and ISO 27001 certification https://advisera.com/27001academy/blog/21/01/27/hipaa-compliance-vs-iso-27001/
  - Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/21/02/02/iso-27001-vs-soc-2/
  - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
  - PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences https://advisera.com/27001academy/knowledgebase/pci-dss/

  In case you are interested in which legal requirements you need to consider when implementing ISO 27001, our recommendation is for you to hire a local legal expert to help you identify such requirements. An online search can help at the beginning of your work (for an overview), but local expert advice is highly recommended.

  This article can provide a start: https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

  But please note that the list in this article is not fully up-to-date because it depends on voluntary contributions from our readers – therefore, it is likely that not all regulations for each country are listed (some even may have been withdrawn).

  These materials will also help you regarding ISO 27001:
  - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Mandatory controls for SoA

  1 - Right now I'm about to do the SoA but is there anywhere I can find the full list of all 114 controls? 

  Answer: Please note that the Statement of Applicability template in your toolkit already contains names of the 114 controls listed in the ISO 27001 Annex A.

  In case you are looking for detailed information about them, then you need to buy the standard ISO 27001 because its content is an intellectual property of ISO and cannot be sold with the toolkit.

  By the way, included in the toolkit, you have access to a video tutorial that can help you fill in the Statement of Applicability.

  For further information about ISO 27001 controls, see:
  - A quick guide to ISO 27001 controls from Annex A https://advisera.com/27001academy/iso-27001-controls/

  This material can also help you:
  - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  2 - And can i somehow see/know which of them are mandatory to implement?

  Answer: Please note that no control in ISO 27001 Annex A is mandatory to implement. The need for implementation is based on the results of risk assessment and identified applicable legal requirements.

  Included in your toolkit you have access to video tutorials that can help you perform a risk assessment and determine which controls would be required for your implementation.

  For further information, see:
  - ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
  - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  These materials will also help you regarding risk management:
  - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/