Search results

Understanding Context of the Organization and determining scope for Implementation of ISO 27001:2013

1. How to understand Context of the Organization

You can understand the context of the organization as any internal or external factor that can affect the ISMS. As examples of external factors (something that is outside the organization's control), we can mention new technologies, competitors, and laws. As examples of internal factors (something the organization can control or have influence over) are the organization's own resources and knowledge, its culture, and its employees' competencies. Understanding the context is essential to identify where the ISMS can be applied, its strengths and limitations. 

This article will provide you a further explanation about the Context of organization for 27001:

• Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

These materials will also help you regarding the Context of organization for 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 2700 1 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

2. and determine scope for Implementation of ISO 27001:2013

According to ISO 27001, an ISMS scope must be defined in terms of information, locations, or business units to be protected, considering the organization's objectives and context.
For small and mid-size organizations (up to 100 employees) often it is better to include all the organizations in the scope because the effort to keep only a part of the organization in the scope is not worthy. For bigger organizations defining a smaller scope may be better to reduce the costs and effort to what really matters for business objectives.  

These articles will provide you a further explanation about defining scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Vendor Reviews

I'm assuming that by "Vendor log" you mean the document or system you use to record and manage your vendors.

Considering that, to identify which vendors should be in your Vendor Log, and under periodic vendor review, you need to perform a risk assessment on your vendors, to identify if they can rise relevant risks that need treatment. Additionally, you need to evaluate the legal requirements you must comply with (e.g., laws, regulations and contracts), to identify if any of them has clauses defining specific vendors or conditions that will require vendors to be logged or reviewed periodically.

These articles can provide further information:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Controlling Website Content

In your documented procedure Control of documents, you can state that your particular website is also documented information, but you just need to explain somewhere (maybe in the SOP Control of document or in separate SOP) how do you control the website, who is responsible for the changes on the website, how is the back up provided, how do you collect any information from the customers, how data that customers leave on your website is protected and so on.

For more information on documentation control, please see the following article:

• Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/

• Preparing the documentation

  You can see how our ISO 13485:2016 documentation toolkit looks like on the following link: https://advisera.com/13485academy/iso-13485-documentation-toolkit/

  You can even download the free demo on the following link: https://advisera.com/13485academy/iso-13485-free-demo/

  For more information on what is ISO 13485:2016 please see the following links: 

  • What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
  • Checklist of ISO 13485 implementation and certification steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
  • Six key benefits of ISO 13485 implementation https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/
  • List of mandatory documents required by ISO 13485:2016 https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/

  If you will have any other questions regarding the ISO 13485, please do not hesitate to contact us.

• Training Validation

  Requirement 6.2 Human resources from ISO 13485:2016 states that the organization must document how to evaluate the effectiveness of the training. So there is what needs to be done, and not how to do it. It is totally up to you to define the method of training validation. Only keep in mind that you need to ensure the competencies for a particular job and the awareness in employees how they participate in the quality of both products and systems. 

  Your idea to create a different version of quizzes for a group of SOP sound great. 

  Here you can see how we in our ISO 13485:2016 documentation toolkit have prepared human resource procedure and record:

  • Procedure for Human Resources https://advisera.com/13485academy/documentation/procedure-for-human-resources-iso-13485-2016/
  • Training Record https://advisera.com/13485academy/documentation/training-record-iso-13485-2016/

  • Integrating ISO27001, ISO20000 and ISO9001

    ISO 27001, ISO 20000, and ISO 9001 share some common requirements that can be fulfilled by the same documents with minor adjustments, like document control procedure, internal audit, and management review. For requirements specific to each standard you will need to develop specific documents.
     
    There is no specific procedure for such integration, but broadly speaking you can follow the steps to implement ISO 27001 and use the following material to identify  when common requirements can be integrated:  

    • ISO 27001 vs. ISO 9001 matrix (PDF) https://info.advisera.com/9001academy/free-download/iso-9001-2015-vs-iso-27001-2013-matrix
    • ISO 27001 vs. ISO 20000 matrix (PDF) https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-20000-matrix

    For further information, see:

    • Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
    • How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
    • How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/

  • Defining and documenting authorities

    Yes, you can do it with an organizational chart and updating the job descriptions. There is no requirement in the ISO 13485:2016 how you are supposed to do it. The requirement 5.5.1 Responsibility and authority stated that top management shall ensure that responsibilities and authorities are defined, documented, and communicated within the organization. It is totally up to you how you will do it.

    For more information on defining roles and responsibilities within an ISO 13485-based QMS, please see the following article:

    • How to define roles and responsibilities within an ISO 13485-based QMS https://advisera.com/13485academy/blog/2017/11/16/how-to-define-roles-and-responsibilities-within-an-iso-13485-based-qms/

    For more information fulfilling management responsibilities in ISO 13485:2016, please see the following article:

    • How to fulfill management responsibilities in ISO 13485:2016 https://advisera.com/13485academy/knowledgebase/how-to-fulfill-management-responsibilities-in-iso-13485/