Search results

Details about Documents Assets

The information to be considered as an asset will depend on your ISMS scope.

For example, if your ISMS scope includes only R&D information, then employee information will not be an asset for ISO 27001. On the other hand, if the ISMS scope includes all organization's information, then employee information will be an asset.

These articles will provide you a further explanation about ISMS scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

For further information, see:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

ISO documentation

The first thing you need to do is review the organizational context, identify which internal or external issues have changed and after that review the risk assessment, to identify if new risks have arisen or if current risks have changed, so you can perform required adjustments.
 
Specifically for ISO 27001, you will need to update the Statement of Applicability and the Risk Treatment Plan.
 
ISO 9001 documents to be updated will vary according to the results of risk assessment.
 
This article will provide you a further explanation about SoA: 

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

These materials will provide you more information about what to consider in regard to work from home, and pandemic:

• What to include in an ISO 27001 remote access policy https://advisera.com/27001academy/blog/2019/04/23/iso-27001-remote-access-policy-how-to-develop-it/
• Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home
• How to use ISO standards to address a pandemic https://advisera.com/articles/how-to-use-iso-standards-to-address-a-pandemic/
• How to perform an internal audit remotely [free webinar on demand] https://advisera.com/27001academy/webinar/remote-internal-audit-free-webinar-on-demand/
• How to use ISO 27001 to secure data when working remotely [free webinar] https://advisera.com/27001academy/webinar/how-to-use-iso-27001-to-secure-data-when-working-remotely-free-webinar-on-demand/
• How to use ISO 9001 to control operations during the pandemic [free webinar] https://advisera.com/9001academy/webinar/how-to-use-iso-9001-to-control-operations-during-the-pandemic-free-webinar/

Asset movement register

I'm assuming that by "asset movement register" you mean a document used to record the movement of an organization asset (e.g., when it is temporarily or permanently transferred from one department to another, or when it goes outside the organization, for maintenance or to be used in travel.)

Considering that, for an asset movement register you should consider the following:

• the asset identification (e.g., serial number, model, etc.)
• the asset owner (the person who authorizes asset movement)
• the asset custodian (the person in possession of the asset)
• the current location of the asset, and to where it will be moved
• if the movement will be temporary or permanent (in case it will be temporary, the date by which it will be returned)

The asset owner and the asset custodian must sign the movement register.

Root cause analysis and corrective action plan

Root cause analysis can be performed in several ways, and since these approaches are easily findable on the Internet we do not have specific templates for them, but you can find useful information about 5 why and fishbone diagram in this article:
- How to use root cause analysis to support corrective actions in your QMS https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/

Is ISO 27001 relevant for clinical data management?

The purpose of ISO 27001 is to protect the information, and it was designed to be used by organizations of any size or industry.

Clinical data involves the handling of very sensitive information related to persons' medical information, which is under the protection of laws and regulations in several countries, and ISO 27001 can help clinics to fulfill related requirements.

These articles will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Audit and Risk Management

I'm assuming you are auditing considering ISO 27001.
 
Considering that, first you need to consult the Statement of Applicability, to identify which controls are related to license and patch management (e.g., A.11.2.7 Secure disposal or reuse of equipment, A.12.5.1 Installation of software on operational systems, and A.12.6.1 Management of technical vulnerabilities), and how these controls are implemented.
 
Based on that you can build a checklist with documents and records you need to look for.  

This article will provide you a further explanation about developing an internal audit checklist:

• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Organisational annual audit plan and audit of each department.

ISO 9001:2015 is not about departments, but about processes. So, determine which processes cross each department. When auditing a department you will audit the requirements around the processes that cross that department.

For example, purchasing department may be about purchasing (clause 8.4), about quality control at reception and nonconformities (clauses 8.6 and 8.7), about identification and traceability (clause 8.5.2), about production planning (clause 8.5.1), about preservation (clause 8.5.4), about warehouse conditions (clause 7.1.4). If you check, I identified the clauses by following the process since identifying a need for purchasing until receiving and storing in the warehouse.

About the annual audit plan, you should consider auditing all processes and ISO 9001:2015 clauses in two or more internal audits along a year.

The following material will provide you information about internal auditors:

• ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
• What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
• Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
• Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

Employees transportation as an environmental aspect in ISO 14001

You can consider it an indirect environmental aspect that the organization can influence, but not control. Then, while evaluating that aspect you can decide if your organization should do anything about it, or if there are other priorities.

You can find more information below:

• 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
• Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
• Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Preliminary steps in the implementation of ISO 9001:2015

Determine the scope of the quality management system (QMS), your organization may decide to include only certain lines of business.

Setup a project sponsor, a project manager and a project team. Ensure top management support, get training about the standard. Designing and implementing a quality management system implies being knowledgeable about ISO 9001:2015.

As a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis you can develop your Project Plan, listing what needs to be done, by whom, until when.

Then, an important step is to design a model of how your organization work as a set of interrelated processes. For example:

Decide how to describe and monitor those processes.

From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

This is a very short description of the journey but below you can find more detailed information:

You can find more information below:

• Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• How to budget an ISO 9001 implementation project - https://info.advisera.com/9001academy/free-download/how-to-budget-an-iso-9001-implementation-project?utm_source=script-for-iso-9001-lead-implementer-course&utm_medium=downloaded-content&utm_content=lang-en&utm_campaign=free-downloads-9001
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Overview of complete links for whole company QMS

Unfortunately, there is no straightforward way to review the company's QMS documentation according to                  IATF 16949: 2016 standard.

Important issues for major QMS documentation are given below.

• The company has a documented methods in front of each "documented process" statement written in the standard,
• The existence of a risk assessment system for each place where "Risk" is mentioned in the standard,
  Documentation of the quality manual,
• Documentation of all QMS processes and documentation of at least 12 months of KPI data.
• Inclusion and evaluation of customer-specific requests in the QMS system.
• Documentation of machine set-up, maintenance, usage instructions, measuring equipment instruction work instructions, etc.
• Availability of all relevant records (PPAP, corrective action, FMEA, capability analysis, MSA results, production and product approvals, supplier assessment and evaluation results, internal audits, management review results, job descriptions, Quality Policy, training records, etc.) in the system.