Search results

Time limit for document show to auditor during audit

As you know, it is mandatory to show records in the audit.
In the IATF 16949: 2016 standard, no time has been defined for this issue. However, according to clause 7.5 3, all documented information, namely documents and records must be available and accessible within the audit period.

Implementing ISO 27001 - timeframe

The time to implement ISO 27001 will depend on many variables, like the size of the organization, the complexity of the scope, the resources available, etc., but in general, for small and medium-sized organizations the implementation duration, can vary from 10 to 12 months.

Regarding how many people should be included in the project, there is no definitive number you should consider (this number also depends on the complexity of the scope), but to increase chances of success, it is important that persons involved have experience in project management and knowledge of the standard. 

These articles will provide you further explanation about ISO 27001:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/
- Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO standards for Operations Security and Security Incident Management

1. To meet the ISO standards for Operations Security and Security Incident Management, is implementation of a cybersecurity tool necessary?

Answer:  ISO 27001 does not prescribe technologies or tools to be used. The need for their use should be evaluated considering the results of risk assessment and applicable legal requirements (e.g., laws, regulations, or contracts). If there are no relevant risks, nor legal requirements, demanding the application of cybersecurity tools, you do not need to implement them.  

For further information, see:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2. How much history of “records” is needed to show the auditor evidence of newly formed operational processes?

Answer: Please note that ISO 27001 does not require a minimum period of records (i.e., a minimum period of the ISMS operation before the certification), however, some certification bodies do have such requirements and some don't, so you should contact your certification body to confirm what criteria it applies. 

This article may also help you:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

3. Typically, once the ISMS prep is completed, how long after can a company get certified?

Answer: A company can request a certification audit as soon as it has all required documents and records to evidence the controls are implemented and working properly, and that the ISMS is being managed. The proper timeframe to request a certification audit will depend on the criteria used by your certification body.

4. Typically, for a small company, less than 20 employees, 5 sites, how long does ISMS project take?

Answer: The time to implement ISO 27001 will depend on many variables, like the size of the organization, the complexity of the scope, the resources available, etc., but in general, for clients of this size our ISO 27001 Documentation Toolkit usually finish the implementation in 4 to 6 months.

To see how documents compliant with ISO 27001 looks like, please see the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

These articles will provide you further explanation about ISO 27001:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How long does it take to implement ISO 27001 https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/

These materials will also help you regarding ISO 27001 implementation:

- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

5. What are some examples of the information assets for the inventory list for a small company?

Answer: Here's an article that suggests the assets for different categories:

- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding identification of assets:

- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

- Asset List for ISO 27001 Risk Assessment (MS Word) https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/

Certifying bodies

The main certification bodies for ISO 27001 are:

• BSI: https://www.bsigroup.com
• Bureau Veritas: https://www.bureauveritas.com
• DNV: https://www.dnvgl.com/
• SGS: https://www.sgs.com/
• TUV: https://www.tuv.com

From their main site, you can verify if they have offices in your country.

To help you select a certification body, I recommend these materials:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
• List of Questions to ask an ISO 27001 or ISO 22301 certification body https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-certification-body

This material will also help you regarding preparation for certification:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

13485 arrangements for Proof of Concept work

The minimum requirements for the ISO 13485 you can find in our ISO 13485:2016 documentation toolkit. If you go down on the linked web page, you will found a list of all documents that we have prepared.

You can see our ISO 13485 Documentation toolkit here: https://advisera.com/13485academy/iso-13485-documentation-toolkit/

Also on this link, you can find the list of mandatory documents for ISO 13485:

• List of mandatory documents required by ISO 13485:2016 https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/

But, please be aware that not all requirements are applicable to all types of medical devices. So, certain documents are not applicable. For example, if your medical device is not sterile, then documentation regarding the sterilization (7.5.5 Particular requirements for sterile medical devices and 7.5.7 Particular requirements for validation of process of sterilization and sterile barrier systems) are not applicable for you. If your medical device does not require installation or service, then documentation regarding installation and service is not applicable for you (7.5.3 Installation activities and 7.5.4 Service activities).

Review of QMS procedures

There is no requirement in ISO 9001:2015 to review internal procedures at planned intervals. However, I already worked with organizations that had to be audited by the FDA and in their case, it was mandatory to review internal procedures at planned intervals. So, there may be other external requirements besides ISO 9001:2015 requiring that review.

Concerning ISO 9001:2015, you are right, a procedure should be reviewed in terms of content when the owner sees an opportunity for improvement, or as a result of corrective action.

You can find more information about the documentation below:

• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

21 CFR 820 / ISO 13875

I assume you meant ISO 13485. Yes, you are right, there are a lot of similarities between ISO 13485 and FDA 21 CFR 820. 

The best ways to see what are similarities and differences between these two standards is on the following link:

• Differences and similarities between FDA 21 CFR Part 820 and ISO 13485 https://advisera.com/13485academy/blog/2017/10/05/differences-and-similarities-between-fda-21-cfr-part-820-and-iso-13485/

There is a proposal sent by FDA to transfer completely on the ISO 13485. This proposal was sent in 2018 and in 2020 decision was expecting. However, so far it is not legal yet. The main reason why the FDA was thinking of this transfer is that ISO 13485 is globally recognized as a quality management standard for medical device manufacturers.

For more information, see:

• FDA Update Transition to ISO 13485:2016 https://www.fda.gov/media/123488/download

• IATF 16949 4.4.1.2 Product

  Product safety is an issue taken with the new version standard of IATF 16949: 2016. 4.4.1.2 The parts from "a" to "m" clause cover almost the entire standard. Article h) is more about responsibility, authority, knowledge, escalation process.

  I have listed the typical audit questions for clause "h" below, but are not limited to them.

  •  Who is the product safety officer defined and how and where was it documented?
  • Do all employees know their duties and authorities regarding product safety?
  • When the customer complaint is received, who and what to do, how has this subject been described in the organization, and are the relevant employees competent and knowledgeable about customer complaints?
  • How did the organization define the escalation process?
  • Is a document like escalation matrix or etc. defined in QMS structure?
  • Are all employees, including senior management, knowledgeable about product safety?

• CE Marking and Major NCRs

  You are supposed to get this information from your Notify body. Usually, considering major NC it is necessary to send a CAPA plan and prove of solving it within one month.

  Here is some general guidance on how to deal with non-conformities:

  • How to deal with nonconformities in an ISO 9001 certification audit- https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/

  • Role of an ISO Lead Auditor and Implementer

    1. What is the role of the lead auditor and lead implementer in ISO processes?

    First is important to note that ISO management system standards do not require a lead auditor and/or lead implementer to perform ISO processes, so the organizations are free to adopt these roles or not according to their needs.

    Considering that, the lead implementer's role is to guide the management system implementation, from the identification of requirements to implementation of corrective actions and opportunities for improvement identified in the management review.

    The role of the lead auditor is to define the audit program, perform audits, and elaborate audit reports, according to the requirements of the ISO management standard. In case there is more than one auditor involved, the lead auditor is the responsible person for the team.

    For further information about these roles, see:

    • What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
    • What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
    • Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
    • Free online training ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

    2. What should an organization have such persons?

    Lead implementers are not normally considered for regular positions in organizations, because in most cases management systems implementation are project-related activities, with a defined date to start and finish (it is best to hire than as consultants).

    On the other hand, internal audits are regular activities to be performed in a management system, and depending on the complexity of the audit program, when a single internal auditor is not enough to ensure a proper audit process, the presence of a lead auditor can bring benefits in terms or organizations and dissemination of competencies (they are qualified for training internal auditors).

    For further information, see:

    • How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

    These materials will also help you regarding internal audit:

    • ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    • Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/