Search results

Where to begin implementing ISO 9001 for a Port Authority

If your organization wants to implement a quality management system (QMS) according to ISO 9001:2015 requirements you can start by reading this article - How to get ISO 9001 certified - https://advisera.com/9001academy/iso-9001-certification/

A possible approach to implement a QMS can be:

• Setup a project sponsor, a project manager, and a project team. Ensure top management support, get training about the standard. Designing and implementing a quality management system implies being knowledgeable about ISO 9001:2015.
• As a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis, you can develop your Project Plan, listing what needs to be done, by whom, until when.

Then, an important step is to design a model of how your organization works as a set of interrelated processes. For example:

Decide how to describe and monitor those processes.

From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

If you need to speed-up your implementation process you can consider our Documentation Toolkit for the implementation of ISO 9001:2015 here - https://advisera.com/9001academy/iso-9001-documentation-toolkit/ and check the free previews. You can also watch this free webinar on-demand - How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/

This is a very short description of the journey but below you can find more detailed information:

You can find more information below:

• Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• How to budget an ISO 9001 implementation project - https://info.advisera.com/9001academy/free-download/how-to-budget-an-iso-9001-implementation-project?utm_source=script-for-iso-9001-lead-implementer-course&utm_medium=downloaded-content&utm_content=lang-en&utm_campaign=free-downloads-9001
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Fines issued in UK for non-compliance to GDRP

You can find all enforcement decision issued by the Information Commissioner's Office on its website: https://ico.org.uk/action-weve-taken/enforcement/

There is also this Enforcement tracker where you can filter by country: https://www.enforcementtracker.com/

If you need more information about GDPR enforcement and how the Supervisory Authorities work, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Non-applicable clauses for supplier of component for medical device

I do not have enough information here, but the following requirements can be marked as non-applicable :

• 6.4.2 Contamination control – if it is no necessary to have special control of the work environment during production
• 7.5.2 Cleanliness of the product - if it is no necessary to monitor cleanliness of the product, if it is not sterile
• 7.5.3 Installation activities - if your component does not need installation
• 7.5.4 Service activities – if your comnponent does not need service
• 7.5.5 Particular requirements for sterile medical devices – if your component does not need to be sterile
• 7.5.7 Particular requirements for validation of processes for sterilization and sterile barier systems - if your component does not need to be sterile

Maybe there are some more requirements that can be marked as non-applicable, but for defining that I need more information regarding the product.

For more information regarding the ISO 13485:2016, please see following articles:

• What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
• Six key benefits of ISO 13485 implementation https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/
• How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

For any other question regarding the ISO 13485:2016, please do not hesitate to ask us.

Managing records kept on the basis of documents

Although ISO 27001 requires the storage of specific documents and records (clause 7.5.3 d), and that changes on them are controlled (clause 7.5.3 e), it does not prescribe how to store them or control changes on them, so organizations are free to define the methods that best suit their needs.

Considering that, storing documents in Excel or Word form is acceptable by the standard. However, the version history feature in Office365 may not be sufficient, because it can help detect an unauthorized change, but cannot prevent it. One way to make your solution more robust, you can limit the users that can edit a document to a small group of users.

These articles will provide you a further explanation about documentation management:

• Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
• Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

These materials will also help you regarding documentation management:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Network controls

By “system” you should understand software or set of software. For example, operational systems, Office 365, and SaaS applications are examples of systems.

When control A.13.1.1 (Network controls) requires a system to be authenticated, it means that the system must show proof that it is the system it claims to be (much like a human user must prove his identity when accessing a system or physical area), by means of presenting a password or one-time code provided by a token along with its identification. By adopting this control, you can ensure that only systems you know and have authorized can access your network. For example, when you access your organization’s network you need to provide your identification and authentication information, right? It is the same thing, only applied to systems (each system should have its own identification and authentication information).

When we talk about the restriction of system connection, we mean that a system should access only what is necessary for its activities. For example, a payment application should have access to the organization’s finance systems and customer databases, but most probably should not have access to HR systems or R&D applications.

These articles will provide you a further explanation about network controls:

• How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
• Using Intrusion Detection Systems and Honeypots to comply with ISO 27001 A.13.1.1 network controls https://advisera.com/27001academy/blog/2016/07/04/using-intrusion-detection-systems-and-honeypots-to-comply-with-iso-27001-a-13-1-1-network-controls/

These materials will also help you regarding network controls:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ 

ISMS Manual contents

The information about the Information Security organizational structure can be described in the Information Security Policy. You can see a demo template of this document at this link: https://advisera.com/27001academy/documentation/information-security-policy/

The documental framework of the ISMS can be defined in a Procedure for Document and Record Control. You can see a demo template of this document at this link: https://advisera.com/27001academy/documentation/procedure-for-document-and-record-control/

These articles will provide you a further explanation:

• Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
• What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
• Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

These materials will also help you:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Changing career to Lead Auditing from LIMS company

To start your journey to become an information security auditor you should attend an ISO 27001 Lead Auditor Course, so you can understand the concepts of the ISO 27001 management system and the processes and techniques involved in an audit.

After attending the course and be approved in the exam, if you want to work as a certification auditor, you need to accumulate audit hours working for a certification body, first as an observer, and after that as an audit team member, so you can gain understanding and experience in practical audits. After sufficient auditing hours for a certification body, and good evaluations from your team leader, you can achieve the status of certification auditor and after that certification for lead auditor.

Here is the ISO 27001 Lead Auditor course from Advisera: https://advisera.com/training/iso-27001-lead-auditor-course/

This article will provide you further explanation about becoming lead auditor:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/

ISO 27001 corporate vs business functions

I’m assuming that by business functions you mean activities related to the organization’s core business, while for corporate functions you mean supporting activities.

Considering that, please note that ISO 27001 aims to protect any kind of information, and depending on the defined scope, the information can be either related to Business functions as well as to Corporate functions. So, you need to clarify first with your assessment team which information, processes, and/or locations will be part of your ISMS to verify which functions need to be assessed.

These articles will provide you a further explanation about ISMS scope:

- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding ISMS scope:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 17025 accreditation

Note that the correct term is accreditation, not certification; as it involves formal recognition of technical competence.

The period of implementation will depend on the size of the labororatory, the number of tests to be added to the Scope of work; as well as naturally, the available reources. Typically from start of project to application for accredition could be anything from 12 months onwards. Once you have applied, it may be up to 3 months before the accredition body perfom the assessment. You then would usually have 3 months to implement any corrective actions before being awarded accreditation.  This means that for a small laborory, it may be a short as 12 months, but typically longer. 

The costs will depend on the accreditation body. I suggest you contact them and request a quotation. In awarding accreditation, the accreditation body attests to your laboratory’s competence to provide consistently valid results through meet the requirements of 17025. An accreditation certificate, which details your scope of accreditation is then issued.

Have a look at how the ISO/IEC 17025:2017 Documentation Toolkit may assist you, available at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ and download some free tools to help with project planning, at https://advisera.com/17025academy/free-downloads/

• Project Plan for ISO/IEC 17025 implementation
• Diagram of ISO 17025 Implementation Process

For some more information here are some useful resources, Download the complimentary white papers:

• Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/
• Checklist of mandatory documents required by ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/checklist-of-mandatory-documents-required-by-iso-17025

and watch the Free webinar – https://info.advisera.com/17025academy/free-download/checklist-of-mandatory-documents-required-by-iso-17025 at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar-on-demand/

Environmental criteria/groups that hydroelectric power projects can face

Unfortunately, that is a very specific question and I do not have particular information on that area. What I can list is a set of topics that may be considered risk factors:

• Earthquake can deteriorate construction
• Excess rain may determine the need to discharge water from the dam and promote floods downstream
• Lack of rain may determine failure to supply water downstream at ecological levels
• High temperature and stagnant waters may develop hazardous bacteria or promote eutrophication
• Blocking the flow of water when it is contaminated, for example, by discharges from a chemical company, preventing contamination downstream (opportunity)
• Destroying or badly affecting traditional river fishing activities due to high variations in water level downstream within a 12 hour period

Do you get the pattern?

Events that may happen, but you cannot say when will it happen

Perhaps the last one is not a risk, there is no uncertainty, it is forecastable and the probability is far from zero.

Please check this information below with more detailed answers:

• ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
• ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/