Search results

Aligning ISO 17025 with ISO 14001, ISO 45001 and ISO 9001

The alignment of ISO QMS standards is based on the ISO harmonization using what ISO refers to as a High-Level Structure (HLS). This ensured better integration as all ISO management systems reviewed after 2012 were revised to have the same look and feel by including a set of ten common clauses. Understandably, depending on the purpose and scope of the standards, the other main clauses will differ. ISO Standards are reviewed every 5 years and either confirmed as current or revised.  ISO 17025:2017 is currently under review, however, that does not mean it will be revised, as already in 2017 the HLS was adopted. ISO 17025 was revised after ISO 9001:2015 and was aligned to ISO 9001:2015 at the time (both having the HLS). Refer to clause 8 – you will see the harmonization. For interest,  see from the ISO website that ISO 9001:2015 was last reviewed and confirmed as current in 2021; ISO 14001:2018 was last reviewed and confirmed in 2022. ISO 45001:2018 is the most recent revised standard you have mentioned.  

When integrating QMS in your organizations, you can combine activities together by referencing different clauses for different Standards and ensuring that the appropriate process is followed say for the ISO 17015 and ISO 14001 components of the integrated QMS.

For some further information have a look at my post at https://community.advisera.com/topic/laboratory-certifications-for-iso9001-and-17025/ 

ISO 27001 doubt on applicability of controls

Please note that the mentioned controls:

• 8.25 Secure development life cycle
• 8.26 Application security requirements
• 8.27 Secure system architecture and engineering principles
• 8.28 Secure coding
• 8.29 Security testing in development and acceptance 

They are intended to protect the development of any software, not just in-house software, so if your company intends to make changes to an open-source software/platform and there are relevant risks or applicable legal requirements (e.g., laws, regulations, or contracts) that justify implementing such controls, then you need to implement them.

Only in case you do not have relevant risks or applicable legal requirements or have open-source software where you do not make any changes, then you do not need to implement these controls.

For further information, see:

• How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/blog/2017/01/24/how-to-integrate-iso-27001-a-14-controls-into-the-system-software-development-life-cycle-sdlc/

Completing RTP before certification audit

You can leave some of the activities of the Risk Treatment Plan to be completed after the certification audit under the following conditions:

1. That you have implemented before the certification the controls that mitigate the biggest risks - in other words, you can leave for conclusion after the certification audit only activities related to less important controls.
2. That you have specified the deadlines for the activities related to the controls that you will be implementing after the certification in your Risk Treatment Plan - of course, those deadlines must be after the certification date.
3. That your risk owners or top management accept all the risks for which controls have not been implemented before the certification.

This means that activities related to the most important controls must have "implemented" status at the certification, while the less important controls can have the status "planned" or "partially implemented" at the moment of the certification.

This article will provide you with further explanation:

• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

Can a single legal entity have multiple ISO 27001 certifications?

It is possible for a single legal entity to have 2 ISO 27001 certifications, provided you can establish a clear separation between them (i.e., they shouldn’t have overlapping elements).

Team in charge of implementation and maintenance of the ISMS

From your question it is not clear whether you are asking about responsibilities for approving policies and procedures, or for responsibilities that are specified in information security documents.

1) Responsibilities for approving policies and procedures:

In smaller companies, one person usually approves documents, while there are usually 2 or 3 persons that are reviewing the documents before they are sent for approval.

2) Responsibilities specified in information security documents:

In the top-level Information Security Policy you should define:

• one person in charge of coordinating the ISMS
• one sponsor from the top management team

For detailed policies like Backup Policy or Access Control Policy, different people will have different responsibilities - e.g., the person in charge of doing the backup might be a different person from the one in charge of approving access.

The standard allows collective decision-making, however having a 3-person committee that decides about everything is impractical.

For further information, see:

• Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

• Certification

  First is important to note that the software is not certifiable against ISO 27001. What can be certified are departments or whole companies.

  You can certify either company A, or B, or both of them. Since this certification is driven by customer demand, it would be best to ask the customer which company would they prefer to be certified. If the customer does not have a preference, it would be more logical to go for company B.

  Regarding Conformio, it can be used to implement and maintain your Information Security Management System, no matter if you choose to go with company A or B. It is designed to be used by smaller companies.

  For further information, see:

  • Conformio (online tool for ISO 27001) https://advisera.com/conformio/

  • Mandatory documents

    Please note that organizations can still certify against ISO 27002:2013 until October 31, 2023, and companies already ISO 27001:2013 certified still have until October 31, 2025, to make the transition to ISO 27001:2022.

    For further information, see:

    • ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

  • ISO 22301 IT

    For ISO 22301 certification you need to include all the activities in your company (i.e., also business activities, not only IT or cybersecurity activities).

    For further information, see:

    • How to implement ISO 22301 in 17 steps https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/

    • Chapter 10.3 from IATF

      First of all, the issue of high scrap should be included in your company's risk analysis. As a result, risks are fed by unfulfilled goals, trends that go higher than expectations, internal and external changes, and chronic problems.

       

      Meanwhile, the high amount of scrap affects not only internal costs and profitability but also timely shipment to the customer.

       

      If I were you, I would mention these issues in my production or quality process risk analysis.

       

      In addition, the 6.1.2.1 Risk analysis article of the IATF 16949 standard  mentioned that, 

      "The organization shall include in its risk analysis, at a minimum, lessons learned from product recalls, product audits, field returns and repairs, complaints, scrap, and rework. The organization shall retain documented information as evidence of the results of risk analysis.’’

       

      Therefore, such lessons learned shall be noted sometimes in the D-FMEA and sometimes in the P-FMEA. If your company is not responsible for the design, of course, it does not need to use D-FMEA, but there may be areas in P-FMEA that need to be updated.

      Whether it is AIAG FMEA rev 4 or AIAG&VDA FMEA; Error type, error reasons, and actions can be updated due to these scraps, which is expected.

       

      But I cannot say that every CI project should be subject to risk analysis or P-FMEA, it is necessary to look at it on a case-by-case basis.

       

    • Risk Register & BYOD

      1 - My first question is about infrastructure assets: do we have to include the private office of Singapore co-working space? What about air conditioning, power supply...? Also same question about the co-working space in Site B.

      Answer: You should consider the co-working spaces as an outsourced service in your asset register (you can add a new asset like “co-working space provider”). Air conditioning, power supply, and other assets related to the co-working space should not be included (all these are provided by the co-working space provider).

      2 - By extension, we have a BYOD policy. Do we need to include personal laptops and smartphones in the assets? 

      Answer: If private assets (e.g., private laptops, private smartphones, etc.) are used for business purpose, then these should be included in the Risk Register.

      3 - We are using a virtual server from a third-parties provider (2 in Site C, and 1 in Site A). Should we include these virtual servers in the assets? 

      Answer: Yes, you should include this virtual server as a third-party service.

      For further information, see:
      - Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

      4 - We have a website: ***. Is it an asset? I saw in the list of assets: proprietary data. Could you give me an example of what it could be for us

      Answer: Yes, a website is an asset - if you are using a cloud service for hosting your website then you could list something like 'XYZ service for hosting the website'.