Search results

Documenting mandatory documents for ISMS

When writing mandatory documents you need to take into account all the elements that are prescribed in the standard - e.g. in Statement of Applicability you need to include all 114 controls from Annex A, and for each one if it is applicable, the justification, and the status of the implementation. 

This white paper will give you an overview of mandatory documents, and how to structure them: Checklist of Mandatory Documentation Required by ISO 27001 https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001 

This free online training will teach you the basics of the ISMS and what are the steps in the implementation: ISO 27001 Foundations Course: https://advisera.com/training/iso-27001-foundations-course/ 

What to exclude from Procedures and/or Quality Manual?

If you will not design any new products, it means that you are manufacturing already known products, that you can exclude requirement 7.3 Design and development. In our documentation toolkit, you do not need to use folder 09_Procedure_for_Design_and_Development.

If your medical device is not sterile, it means that requirement 7.5.5 Particular requirement for sterile medical devices and 7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems. In our documentation toolkit, you do not need to use 12_Procedures_for_Sterile_Medical_Devices. 

Each exclusion must be stated and explained in the Quality manual. For example, requirements 7.5.5 and 7.5.7 are not applicable because our medical devices are not sterile.

On the following link you can find tips on how to write a short quality manual for ISO 13485:

• ISO 13485: How to write a short quality manual https://advisera.com/13485academy/knowledgebase/iso-13485-how-to-write-a-short-quality-manual/

• Setting quality in a service that an institute provides

  Let us apply ISO 9001:2015 clauses 4.2, 4.4, 4.1, and 6.1 to help me in developing the answer.

  4.2 - What is the institute’s purpose? Why does it exist in the first place? Whom does it serve? What are their needs and expectations? An institute, like any other organization, has to serve its “customers” (even if they are not the ones who pay) and its patrons (the ones that pay, maybe the government and private donors, for example). These groups also have needs and expectations. And the service may have to be provided under a set of regulations that act as constraints. So, list the more relevant needs and expectations. You see, after all the noise and bells and whistles, the institute exists to provide, to answer, to deliver on those needs and expectations.

  From here you can define and characterize the set of services that are provided by the institute, and their outcomes, their service specifications.

  4.4 – What kind of processes are needed to systematically provide the desired outcomes according to specifications? Develop the model of your organization based on the process approach.

  4.1 – Is it easy to deliver on those needs and expectations? While answering this question reality sets in. The institute is placed in a certain context with internal and external issues. Perhaps there is not enough money, perhaps there is a lack of staff, perhaps “customers” don’t collaborate, perhaps there are voluntaries that can be called to help, …

  6.1 – when you confront the relevant needs and expectations of the relevant interested parties with the internal and external issues from the context you can determine risks and opportunities. What can help you or hinder you in meeting the desired outcomes according to specifications? You can use the most relevant risks to develop a Quality Plan – what needs to be controlled, what needs to have work instructions, what needs to be recorded, what kind of training is needed, … this way you are starting to design your quality management system not based on mambo jambo, but in what really matters to the purpose of the institute and its interested parties.

   

  You can find more information below:

  • About context and interested parties you can see this free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - - where I present examples of internal and external issues and how to determine them, and examples of interested parties and their requirements and expectations.
  • About mapping and risks, you can see this free webinar on-demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
  • About risks, you can see this free webinar on-demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
  • How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
  • How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
  • Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (I use the approach of this answer in this book)

• Developing a standard project applicable to real "construction sites" for a cleaning cooperative in the development of service design

  Each construction site is different, no two are alike. So it doesn't make sense to have a standard model applicable to all of them. The cleaning service at a construction site can be translated into what elementary activities? For example, cleaning meeting spaces, cleaning bathrooms, ... Does it make sense to develop a standard library of elementary activities - which describes the service, the type of equipment that can be used, the type of materials and people, the type of specifications that must be established in each case. Then, for each specific construction site, the site is visited, the client's requirements are listed, and a proposal is prepared taking into account the dimension, the set of elementary activities, their frequency, and specifications.

  Does this make sense to you?

  The following material will provide you more information:

  • The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
  • About conducting design and development reviews consider - ISO9001 Design Verification vs Design Validation - https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/
  • ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• Compliance with monitoring and measurement requirement

  I assume you are referring to ISO 27001 clause 9.1 or ISO 22301 clause 9.1. 

  Measuring means that you set certain objectives (e.g. maximum number of incidents) and that you evaluate if your achieved numbers are within your expectations. 

  Monitoring means that you track the performance of a particular process or a system (e.g. log activity) and you react if the trends are out of the ordinary. 

  These materials will help you learn more: 

  • article How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
  • free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ 

• Updating the Incident Management Procedure

  It would be great if you could share some examples for different categories like security weakness or event and incidents. This way we can get a better understanding of each type.

  Weakness is a characteristic of an asset which enables a potential threat to create an incident - for example, this could be a software that is not patched. For other explanations see this article: ISO 27001 information security event vs. incident vs. non-compliance https://advisera.com/27001academy/blog/2018/12/03/iso-27001-information-security-event-vs-incident-vs-non-compliance/ 

  Should we include our maintenance window to this document to exclude from our SLA? I mean we use this document as a reference for SLA.

  I assume you refer to Incident Management Procedure - this procedure needs to be aligned with your existing SLAs, meaning you have to plan to react to incidents in a way to comply with the requirements from your clients. 

  Here's some more information: How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/ 

  Do you recommend any tool for handling incidents proper for small business?

  In couple of months time we will launch a new SaaS tool that will help smaller companies handle incidents compliant with ISO 27001 - we'll let you know once we complete it. 

• Contingency planning 

  1-is contingency plan part of ISO22301 requirements?

  The word "contingency" is not used in ISO 22301, but the whole idea of ISO 22301 is to prepare a company for a disruption. 

  2-who should develop contingency plan and scenarios

  Usually a person is appointed to coordinate business continuity project, and this person together with the heads of departments develops the whole business continuity documentation. 

  See also: The challenging role of the ISO 22301 BCM Manager https://advisera.com/27001academy/blog/2016/03/21/the-challenging-role-of-the-iso-22301-bcm-manager/ 

  4-is there any conflicts between having contingency plan is ready and ITDR project ?? I mean is it an obstacle for DR project if I do not have contingency pls

  If by "contingency" you mean the plans on how to recover your IT infrastructure, then the answer is that you must have those plans. 

  Finally, do u have a kit for crisis scenarios?

  ISO 22301 Documentation Toolkit contains a list of most common disruption scenarios; it also contains a documentation for risk assessment with catalogs of threats and vulnerabilities.

  You can see the details here: https://advisera.com/27001academy/iso22301-documentation-toolkit/

• ISO 9001 requirements for implementation

  No, there are no mandatory requirements for the person leading the ISO 9001:2015 implementation project. However, knowing the standard is a great obvious help. Also, taking our ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/ can be helpful to learn some good practices.

  Later in the implementation life cycle, your organization will need to perform internal audits. At that moment it is useful to have at least one person in the organization able to do that. So, later in the implementation life cycle, you can attend a training course like our free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/

  You can find more information below:

  • Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
  • How to budget an ISO 9001 implementation project - https://info.advisera.com/9001academy/free-download/how-to-budget-an-iso-9001-implementation-project?utm_source=script-for-iso-9001-lead-implementer-course&utm_medium=downloaded-content&utm_content=lang-en&utm_campaign=free-downloads-9001
  • Free webinar on-demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• How to exclude information in the definition of scope?

  I assume your question is how to exclude maintenance and administrative tasks for the EMEA area of hosting from your scope. 

  First you have to consider if this exclusion is feasible or not - if the people who work on mentioned tasks within your branch cannot be logically and/or physically separated from the rest of your branch office, then it would be better if they remain in the scope. 

  If it is feasible to exclude the activities you mentioned from the scope, then you have to define in your ISMS Scope document which activities are, and which are not included in your scope. Together with the toolkit you purchased you have the access to the video tutorial that explains how to fill out the ISMS Scope document. 

  These materials will also help you with the scope definition: 

  • article Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
  • free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ 

• Certificação ISO 27001

  A ISO 27001 foi projetada para ser implementada em organizações de qualquer tamanho e indústria, portanto, as etapas gerais são as mesmas para qualquer indústria, incluindo as da indústria gráfica.

  Em termos gerais, depois de obter suporte para seu projeto (por meio da aprovação do plano de projeto do SGSI) e da aprovação do Procedimento para Controle de Documentos e Registros, você deve considerar estas etapas:

  • definir a estrutura básica do SGSI (por exemplo, escopo, objetivos, estrutura organizacional), por meio da compreensão do contexto organizacional e dos requisitos das partes interessadas
  • desenvolvimento de avaliação de risco e metodologia de tratamento
  • realizar uma avaliação de risco e definir o plano de tratamento de risco
  • implementação de controles (por exemplo, documentação de políticas e procedimentos, aquisições, etc.)
  • treinamento e conscientização de pessoas
  • controla a operação
  • monitoramento e medição de desempenho
  • realizar uma auditoria interna
  • realizar a revisão crítica da gestão
  • abordar não-conformidades, ações corretivas e oportunidades de melhoria.

  Para ver como são os documentos em conformidade com a ISO 27001, sugiro que você dê uma olhada na demonstração gratuita de nosso kit de documentação ISO 27001 neste link: https://advisera.com/27001academy/pt-br/kit-de-ferramentas-da-documentacao-da-iso-27001/

  Este artigo fornecerá uma explicação adicional sobre a implementação do ISMS:

  • Lista de verificação de implementação ISO 27001 https://advisera.com/27001academy/pt-br/knowledgebase/lista-de-verificacao-para-implementacao-da-iso-27001/

  Esses materiais também irão ajudá-lo com relação à implementação da ISO 27001:

  • How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/