Search results

ISO 9001 implementation

A possible approach to implement a quality management system can be:

• Setup a project sponsor, a project manager, and a project team. Ensure top management support, get training about the standard. Designing and implementing a quality management system implies being knowledgeable about ISO 9001:2015.
• As a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis, you can develop your Project Plan, listing what needs to be done, by whom, until when.
• Then, an important step is to design a model of how your organization works as a set of interrelated processes. For example:

• Decide how to describe and monitor those processes.
• From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

To speed up the process you can use our Documentation Toolkit for the implementation of ISO 9001:2015 here - https://advisera.com/9001academy/iso-9001-documentation-toolkit/ and check the free previews. You can also watch this free webinar on demand - How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/

This is a very short description of the journey but below you can find more detailed information:

You can find more information below:

• Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• How to budget an ISO 9001 implementation project - https://info.advisera.com/9001academy/free-download/how-to-budget-an-iso-9001-implementation-project?utm_source=script-for-iso-9001-lead-implementer-course&utm_medium=downloaded-content&utm_content=lang-en&utm_campaign=free-downloads-9001
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Consultant performance review

I understand that you are receiving information from performance review done by a client. Is that client important? Is that client part of the segment of target clients? For example, low cost airlines receive a lot of complaints, but most of those complaints are not about errors or “defects”, but about decisions made according to its strategy of keeping costs down. In the case you are receiving performance feedback from a target-client, you can start to acknowledge and thank the information received. Then, analyze and understand if it makes sense, if the company can frame and incorporate it. And communicate the decision to the customer. If the decision is to frame it, it may make sense to communicate the timing for its implementation.

You can find more information below:

• Handling customer satisfaction with code of conduct and complaints procedure - https://advisera.com/9001academy/blog/2014/07/15/handling-customer-satisfaction-code-conduct-complaints-procedure/
• How the ISO 9001:2015 standard can help improve relationships with your customers - https://advisera.com/9001academy/blog/2016/02/23/how-the-iso-90012015-standard-can-help-improve-relationships-with-your-customers/
• Main elements of handling customer satisfaction in ISO 9001 - https://advisera.com/9001academy/blog/2014/07/01/main-elements-handling-customer-satisfaction-iso-9001/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Difference between EU manufacturer's distributor and (transport) service provider

There is no special difference. Every distributor can be a transport provider also. The distributor does not have to make installation of the medical devices, this depends on the agreement between manufacturer and distributor.

How to calculate RTO and RPO

First is important to note that RTO and RPO are most often defined based on a scenario evaluation, instead of calculated, because calculating them can become very complex and time-consuming.

Considering that, RTO (Recovery Time Objective) is defined based on how fast you want to resume your operations after a disruption, while RPO (Recovery Point Objective) is defined based on how much data you can afford to lose due to a disruption.

For example, if an application has an RTO of 1 day and an RPO of 4 hours, it means that this application can be recovered (resume normal operation) in one day, but the information from the last 4 hours before the interruption occurred will be lost.

This article will provide you a further explanation about RPO and RTO:

• What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

These materials will also help you regarding RPO and RTO:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
• Free webinar – Implementing Business Impact Analysis according to ISO 22301 https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/

Questions about ISO 27001 implementation

1 - It’s not yet clear to me what we must do exactly if a risk from the treatment table is not acceptable and requires some implementations.

What is the accepted time frame for risks mitigation?
For an unacceptable risk which requires new controls for treatment, what if we plan the implementation – say – 1 or 2 years later?
Is it allowed by the standard and/or auditor?
Will it be visible in SoA’s residual risks?
In other words, does it have to be addressed before the next assessment, or the next audit, or freely?

ISO 27001 does not prescribe a time frame to implement controls, so organizations are free to define the time frame that best suits them, but a time frame of 1 or 2 years is not recommended, because by the time you finish the implementation the risks may have changed (due to changes in business conditions or changes in threats and vulnerabilities), and the previously planned controls may not be effective or needed anymore.

Now, considering certification purposes, at least the controls related to the most relevant risks must be implemented, with proper evidence of implementation and operation, by the time of the certification audit, because risk treatment is a mandatory clause, and the certification auditor will check this. Risks with controls not implemented should be accepted by the organization, and these must be included as defined in the Statement of Applicability template (included in the toolkit you bought, you have access to a video tutorial that can help you fill the SoA document).

For further information, see:

• Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

2 - If the risks must be absolutely mitigated “quickly” when not accepted, then we may need to relax the acceptance criteria to encompass them. Can we say:

Based on a yearly budget, state that i.e. high risks can be accepted only if there is no room left for the implementations in the running assessment… (or financial year… somehow)
The risk mitigation may therefore be postponed to the next assessment (hopefully not indefinitely..) or “whenever possible”
Would that kind of acceptance criteria fit with the standards and pose no issue with auditors?
I suppose that such accepted risks will again appear in the SoA (but it makes sense)

ISO 27001 does not prescribe risk acceptance criteria, only that they must be defined. Considering that, your organization can establish any criteria it sees fit (your criteria example is acceptable). You only have to be careful to not postpone relevant risks indefinitely, because this can be seen as a lack of commitment to information security, and this can compromise certification. About SOA, your assumption is correct, the accepted risks will appear in the SOA.

Included in your toolkit, also there is a video tutorial that can help you with risk assessment and treatment.

This material can also help you:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

3 - Concerning the risk assessment:

Will our estimations of impact or likelihood be strongly challenged by the auditor? (sometimes there is room for debate..)
Do we have to prepare evidence for each asset assessment or risk, to assist in the verification?
Clearly, doing so, in advance, and for many risks/assets is not feasible for us
I guess the focus will be on the SoA instead and how the controls are implemented? (or to explain why they are not)

The auditor will check if your estimations make sense considering your organizational context and ISMS scope and will only make additional questions if something is too far away from normally expected results (for example, the impact of datacenter down to fire valued as 1 on a scale from 1 to 5, where 5 is the highest impact).

For audit purposes, the Risk Assessment Table and The Risk Treatment Table are sufficient for the auditor. 

The SoA is the initial guide for the auditor to understand your information security context, but during the audit, he will check how the controls are implemented.

This article will provide you a further explanation about estimating risks:

• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

ISO 27000 and ISO 31000

Please note that neither standard of ISO 27000 group, or from ISO 31000 group prescribes that the owner of information assets must be the owner of the information risk, nor that informational risk is an operational risk.

ISO 27001 requires, and ISO 31000 suggests, the definition of risk owner, but neither prescribes a framework to organize risks, so organizations are free to organize them as they see fit.

These articles will provide you a further explanation about risk owner and asset owner:

• Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
• ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/

This material will also help you:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001:2013 Foundations Course  https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 certification for a group of companies

It is possible to have a single certification for your organization and its subsidiaries, but please note that implementing a certification in multiple geographic locations is a complex, and more expensive, task and you should go for it only if it is really necessary for business strategies and objectives. Instead, you should consider the prioritization of locations and implementing the certification one location at a time. Additionally, with multiple certifications, in case one location has some problem with fulfilling requirements, this will not affect the certification of other sites.   

These articles will provide you a further explanation about scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

This article will provide an additional explanation about single certification for multiples entities (although it is about ISO 9001, the same concept applies to ISO 27001):

• Certifying different legal entities under one certification scope in ISO 9001 https://advisera.com/9001academy/blog/2018/03/27/certifying-different-legal-entities-under-one-certification-scope-in-iso-9001/ 

This material may also help:

• ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Ensuring proper resources are on board

It refers to all persons/expertise/budget resources needed to implement the project. It depends on the dimension of the company, of course. 

For example, to implement the project and verify all risks it can be the DPO, the IT Manager, and the Head of the Legal Department, but of course, if you need to implement a Teleworking policy you may also need the HR manager. Or to mitigate the risks you need to buy new software/hardware. 

When implementing the GDPR project you need to take into account all these elements before starting.

To know more about how to start implementing GDPR, here you can find a 9 step procedure:

• 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/

You can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

EU GDPR representative

Yes, your company needs an EU Representative in order to be contacted by Data Subjects or from the Surveillance Authority in case of needs. It can be a person (i.e a GDPR expert) or a company.The EU Representative shall be appointed in the country where the services are offered (Article 27 GDPR), so if your company will have an Italian Client, it will be better to appoint an Italian EU Representative. 

If you need to know more about EU Representatives and Cross-border data transfer under the EU GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Toolkit content

"What documents of your Toolkit refer to the next issues:

Intragroup Data Transfer Agreement (IGDTA)

Our Toolkit is focused on small or mid-sized companies, so, unfortunately, the toolkit does not have intragroup policies since they apply only to larger companies.

Technical and Organisational Measures (TOMS)

All documents contained in the folder named “Security of Personal Data” refer to Technical and Organisational Measures. It contains:

• IT Security Policy,
• Access Control Policy
• Security Procedures for IT Department
• Bring Your Own Device (BYOD) Policy
• Mobile Device and Teleworking Policy
• Clear Desk and Clear Screen Policy
• Information Classification Policy
• Anonymization and Pseudonymization Policy
• Policy on the Use of Encryption
• Disaster Recovery Plan
• Internal Audit Procedure

Newsletter Policy

In the Folder “Website documents” you can find the website privacy policy where the newsletter is included along with the Contact form, Shop, and other parts of the website.

Here you can find our Toolkit and download the free demo or watch the video tutorial on the implementation of GDPR through our Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/