Search results

Information Classification

1 - Is there anything that would stop us from simply having two classifications Public and Confidential?

ISO 27001 does not prescribe classifications to be applied to information, so it is acceptable by the standard that your organization may adopt only Public and Confidential levels.

2 - Assuming we adopted a mandatory classification protocol at an individual document level on say December 1. What would be the recommendation as to classification of all pre-existing documents

I'm assuming that by classification you mean define it as different from public.
 
Considering that, the classification of pre-existing documents will depend on your needs, the results of risk assessment, and applicable legal requirements.
 
For example, for HR processes you may need to classify all documents related to employees, regardless of how old they are (in most countries this related to laws or regulations). On the other hand, for the Marketing campaign for a new product, you only need to classify it until the new product is released.
 
It is important to note that the classification of information at the document level is impractical for a large number of documents.

3 - ...If the response is that every old document must  be classified this would be impossible for us. So therefore my next questions are around whether we can classify not at document level, but at a higher level.:

ISO 27001 does not prescribe levels to consider to classify information, so you can use the classification that better suits your needs. For example, you can classify documents according to type, the processes or business units they are related to, or where they are stored (e.g., contract type documents, documents related to the software development process, documents related to the HR department, or documents stored in the CFO office).  

4 - Would it be legitimate to have a classification policy at a document type level?

Considering previous answers, a classification policy at the document type level is acceptable for ISO 27001 certification purposes.

5 - Or is it legitimate to classify based upon where the electronic document is stored (eg everything  in this Microsoft Teams channel is Confidential?

Considering previous answers, classifying documents according to where they are located is acceptable for ISO 27001 certification purposes.  

6- Overall any general thoughts / advice you may have for creation of a workable classification policy for such a small company?

These articles will provide you a further explanation about information classification:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
• Why is ISO 27001 applicable also for paper-based information? https://advisera.com/27001academy/blog/2019/01/21/why-is-iso-27001-applicable-also-for-paper-based-information/

Classification of company assets

Along with greeting you, I would like to please if you could help me with a question I have. I am classifying the assets of the company and in the case of computers and laptops, for example, do I have to enter into the classification all those that exist in the organization or only one?

I remain attentive to your response, greetings and thanks

By your question, I'm assuming you are talking about filling in the asset register.
 
Considering that, you need to include in the asset register all assets that are related to the ISMS scope (in case the scope covers all organizations, then you need to consider all computers and laptops). But you do not need to include every single asset. You can create a single asset named "laptop" or, in case you need to use different classification levels, you can identify assets like "common laptop" and "development laptop", and define a different classification for each one.
 
This article will provide you a further explanation about the asset register:  

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

ISO 14001 certification cost and duration

I believe you’re enquiring about the cost of getting a company ISO 14001 certified.
The cost and time of getting ISO 14001 certification depend on two important variables: the dimension of the organization and its environmental status.
For example, concerning time. When there are no problems with compliance obligations according to Advisera’s experience, organizations using our Documentation Toolkit, from start to certification, need:

• Companies of up to 10 employees - up to 3 months
• Up to 50 employees - 3 to 6 months
• Up to 200 employees - 6 to 10 months
• More than 200 employees - 10 to 20 months

Without our Documentation Toolkit, they need more time.
As someone implementing management systems as a consultant for almost 30 years, I have plenty of experience where organizations promise resources and commitment before starting the project and then they fail.

For example, concerning costs you have to consider two factors:
· What is the present situation concerning compliance obligations? For example, I have worked with some organizations that had to spend a lot of money to correct their air emissions.
· Certification costs will depend on certification body to certification body but the main factor is the number of workers in the organization.

Please check this information below with more detailed answer:

• Free webinar on-demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
• List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
• ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

SOP for Control of Nonconforming Product/Proces

According to the ISO 13485:2016, there is a requirement for the SOP for the Control of nonconforming product (requirement 8.3.1 General).

Return merchandise authorization is covered in the requirement 8.3.3 Actions in the response to non-conforming product detected after delivery. Usually, this requirement is covered in the same SOP for the Control of non-conforming products. Organizations must take actions appropriate to the effect that non-conforming products can be issued.

For more details, please see the following article:

• ISO 13485:2016 nonconforming product – How to approach the post-delivery actions https://advisera.com/13485academy/blog/2017/04/11/iso-134852016-nonconforming-product-how-to-approach-the-post-delivery-actions/
• Understanding dispositions for ISO 9001 nonconforming product https://advisera.com/9001academy/blog/2014/11/18/understanding-dispositions-iso-9001-nonconforming-product/

On the following link you can see how our procedure and template for the non-conforming product look like in ISO 13485:2016 Documentation toolkit:

• Procedure for Control of Non-Conforming Products https://advisera.com/13485academy/documentation/procedure-for-control-of-non-conforming-products-iso-13485-2016/
• Non-Conforming Product Record https://advisera.com/13485academy/documentation/non-conforming-product-record-iso-13485-2016/

• Excluding clauses of ISO 9001 for a law firm

  Excluding clauses is not a technical decision, it is a management decision based on the scope of the quality management system. For example, are Law firms not innovative and do not develop new services? Is clause 8.3 automatically not applicable?

  Only after looking into the scope of the quality management system, one can say if a clause is applicable or not.

  The following material will provide you more information about exclusions:

  What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
  Free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope -
  Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• Environmental risk assessment in a garments factory

  You can start looking at your environmental aspects and impacts and determine what can go wrong and provide undesirable consequences like emergency situations or breakdowns.

  Then look for interested parties and determine possible changes for the future and their potential impact in your organization. For example, customer requirements may demand more chemicals, environmental legislation may be more demanding.

  PESTLE analysis may be useful to frame thinking about risks related with policy, technology, economy and social movements. Although about ISO 9001, perhaps the technique that I use and present in this free webinar on demand - Context of the organization, interested parties, and scope - - may be useful for you to work with context and interested parties to determine risks.

  Please check this information below with more detailed answers:

  • ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
  • ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
  • Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

   

• ISO 9001 and supply chain control

  ISO 9001 is a generic standard applicable to all kinds of organizations. If an organization uses ISO 9001 to improve the business and to do more than just getting a certificate, we can look into clauses 4.2 and 6.1 of ISO 9001:2015 as a way of answering your concerns. For example, in this free webinar on-demand - Context of the organization, interested parties, and scope - - I show how a set of participants in a business ecosystem can be included. When working with organizations on this topic I recommend thinking in more than just the needs and expectations of the interested party – that means:
  

  About the fake/fraudulent components, it is a matter of thinking about risks and acting on those more significant. For example, I’m currently working with a manufacturing company on the implementation of a quality management system. One of the risks determined was about using raw materials during production with specifications changed by the supplier without warning. So, we determined a set of laboratory tests to be performed every x months. 

  You can find more information below about mitigating risks.

  • How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
  • How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
  • In this free webinar on-demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
  • Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (I use a lot of examples based on the risk-based approach)

• Controlled vs Non-Controlled copy

  Who are these students?

  Are they future users of the SOP’s? If they are future users of the SOP’s, will they have access to them in the future through paper or through another medium, like digital? If they will have future access to SOP’s through paper perhaps the copies should be controlled.

  If they are not future users, or are future users with future access through digital, distributing non-controlled copies seems to be the best solution.

  Controlled copies are used to ensure that those that need to use them are on the loop to be informed of any change

  You can find more information about documentation below:

  • Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/