Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 Lead Auditor certification paths
First is important to note that ISO 27001 does not require a Lead Auditor course for performing internal audits. An internal auditor course is enough for such a purpose.
Considering that, there are no significant differences between LA certificates issued by PECB or issued by Advisera/accredited by Exemplar Global. Such certificates are needed only for professional who wants to work as a certification auditor in a certification body, and in this case a particular certification body might have a preference for one or the other accreditation body.
-
ISO 27001 audit and implementation
Generally speaking, you need to understand the objectives the client wants to achieve, its line of business, and how the business is organized. Based on this information you can develop additional questions and identify additional persons to talk to.
Please note that there are no set of definitive questions to be asked, only general topics to be covered.
To become an ISO 27001 auditor or ISO 27001 implementer, you should first acquire experience in these fields, and the most common ways are to work inside your current company auditing/implementing information security or working for an established consultant.
For more information about auditing/implementing ISO 27001 and how to become a consultant, please read:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
These materials will also help you regarding ISO 27001 auditing/implementation:
- Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
- Free online training ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/
-
Is ISO 17025 designed and intended to be implemented on individual, test-by-test basis?
ISO 17025 implementation applies to the overall activities of the laboratory, including for example personnel training or procurement. The “test-by-test” basis you refer to is applicable to the laboratory’s Scope of Work, for which accreditation is applied for. So you state what is being calibrated (including method and range); or what is being tested (analyte or group of analytes), in what matrix and using what method or instrument. An example is Heavy Metals in Soil by ICP-MS. For each method, yes you need to show technical competence to produce reliable, valid results. If your laboratory may is not involved with sampling, then you state in your documentation that sampling not the responsibility of the laboratory.
For more detail on what is required for ISO 17025, read the whitepaper Clause-by-clause explanation of ISO 17025:2017 available for download from https://advisera.com/17025academy/free-downloads/ and preview the ISO 17025 Academy toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/
-
Addressing management, staff and practical issues within ISO 14001
Each organization is a different case. Each organization has different motivations, different amounts of staff, different starting points in its survey of the initial environmental situation. The implementation phase requires a project manager almost full time, often this does not happen. Some companies may start from a base where they have to make major investments to meet compliance obligations. Some companies may find it difficult to provide time for training in good environmental practices.
Please check this information below about implementation:
- Free webinar on-demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
-
Information Classification Policy - “labeling” of information
ISO 27001 does not prescribe how to define information labeling, so your proposed scheme is acceptable by the standard (i.e., keep “Internal use” information unlabeled, and label public information as public).
These articles will provide you a further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
These materials will also help you regarding information classification:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
-
Asset inventory and risk analysis
I’m assuming you are asking for tools and approaches for asset inventory and risk analysis.
Considering that, it is our policy not making recommendations about tools or technologies.
Regarding the approach for risk analysis, the most common approach used for information security based on ISO 27001 is the asset-threat-vulnerability approach.
For more information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
To see a template of risk assessment compliant with ISO 27001, see this link:
- Risk Assessment Table https://advisera.com/27001academy/documentation/risk-assessment-table/
As for asset inventory, ISO 27001 does not prescribe an approach for asset inventory. Actually, the inventory of assets is not needed, especially when companies are implementing the standard for the first time - it is enough to develop a list of assets for the Risk assessment, and once this is done this list is simply copied to Inventory of assets.
To see a template of inventory of assets compliant with ISO 27001, see this link:
- Inventory of Assets https://advisera.com/27001academy/documentation/inventory-of-assets/
This article will provide you a further explanation about the inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you with these activities:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
-
Guidelines for the control of external origin documents
You can find a set of guidelines for controlling external documents in this article - What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/
You can find more information below:
- How to include statutory and regulatory requirements in your QMS - https://advisera.com/9001academy/blog/2017/02/14/how-to-include-statutory-and-regulatory-requirements-in-your-qms/
- Free on-line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
-
Nonconformities, OFI's vs Low/Med/High Audit Gaps
First is important to note that major/minor nonconformities are normally used only for certification/surveillance audits of certified ISO management systems. Internal audits in general use the ratings you mentioned.
Considering that, major nonconformities would compare to high rating, while minor nonconformities could be compared to low or medium rating, depending on criteria used by the organization.
As for Opportunities For Improvement (OFIs), they should be rated considering criteria adopted by the organization to evaluate their potential benefits (i.e., they could be rated low, medium, or high).
These materials will also help you regarding NC and OFI ratings:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
-
Writing quality assurance policies
Please note that since the year 2000 ISO 9001 is no longer about quality assurance, but about quality management.
An organization with a quality management system should have a quality policy. A quality policy is a set of intentions and directions for an organization as determined by top management.
You will not see this in ISO 9001:2015, this is my practice. When I work with an organization’s top management in developing their quality policy I recommend thinking about some questions:- Who are our target customers and other very relevant interested parties?
- What are the most important requirements for those target customers and other very relevant interested parties?
- In what activities should our organization be excellent to be able to satisfy target customers and other very relevant interested parties?
After discussing the questions and answers and after arriving at some consensus, I invite the organization to write a text with the following structure:
- For whom do we work (We work for clients that value …) – In your case think about the more relevant interested parties: consumers, local authorities, …
- What are our top priorities? In what things we need to be excellent to satisfy those for whom we work?
- Add the commitments included and required by ISO 9001
- That way you will write a guiding document that will focus your organization in a strategic way and translating that policy into objectives will be easier.
The following material will provide you more information about the quality policy:
- How to Write a Good Quality Policy - https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
- You can enroll in this free course ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- You can enroll in this free course ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
-
Importance of change controls
Change control is very important in ISO 17025, as with any management system. In ISO 17025 it is typically managed at the activity level, for example Data, Information, Document and Record management; or ensuring validity of results. The scope of ISO 17025 is the competence, impartiality, and consistent operation of laboratories. To achieve stability and consistent operation, risks and opportunities must be managed. This means that any changes for management and technical activities must be planned, controlled, and coordinated. For example, changing a supplier of a critical chemical reagent could invalidate a method if the risk is not considered and the impact of the new chemical supply not evaluated.
For more detail on what is required for ISO 17025, read the whitepaper Clause-by-clause explanation of ISO 17025:2017 available for download from https://advisera.com/17025academy/free-downloads/ and preview the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/