Search results

Is it necessary to supply the assessor with a record of the router configuration?

If this record of the router configuration is related to the information included in the certified ISMS scope (e.g., this router allows access to R&D servers, and R&D information is included in the ISMS scope), then it has to be audited at some point during the certification cycle (i.e., during surveillance audits), so the auditor can check if the router configuration allows access only for authorized entities, and as part of the certification process the auditor has the authorization to access this information to perform the audit.

This article may provide you further information:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

ISO 27001 Asset-based risk assessment

I'm assuming that by asset-based risk assessment you mean the asset-threat-vulnerability approach.

Considering that, even in case a set of asset-threat-vulnerability rises no risk to the information that is part of the ISMS scope, you should maintain it in the Risk Assessment, for record purposes. First, because this way you can keep track of already identified sets of assets-threats-vulnerabilities you thought were relevant, which in future assessments will save you time in risk identification (you will not need to work on the identification of these risks again), and since the risk is a dynamic variable, in a future assessment these sets may indeed raise a risk that may require treatment (e.g. due to a technological change or new legislation).

These articles will provide you a further explanation about risk assessment:

• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

These materials will also help you regarding risk assessment:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Define and formalize a Top Management involvement strategy

In ISO 27001, the involvement of top management is defined and documented in the Information Security Policy. The definition of top management involvement must consider the expected objectives from the ISMS, as well as the business objectives and strategies.

To see how an Information Security Policy looks like, see: https://advisera.com/27001academy/documentation/information-security-policy/

These articles will provide you a further explanation about the Information Security Policy:

• What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
• Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
• 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

ISO 9001 and manuals

ISO 9001 is an international standard about developing a quality management system (QMS). A manual is a particular kind of document. For example, can be used as an identity card of a QMS, explaining how it works and what are its parts. They are not the same thing.

The following material will provide you more information:

• What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
• The history and future of the ISO 9000 series of standards - https://advisera.com/9001academy/blog/2019/04/15/history-of-the-iso-9000-series-of-standards-and-what-to-expect-next/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Using Non-ISO Clients on Controlled Forms

Thank you for the information. Regarding you being “shocked”, I agree with your concern. As I do not have all the context (it depends on the use of the record), I will answer generally with some comments to assist.

A laboratory implementing ISO 17025 and working towards accreditation must state the range of activities that conform to ISO 17025. For general activities, for example, document and record control, customer contracts, handling complaints and corrective actions, it is not appropriate to consider applying a conforming approach to some and a non-conforming approach to situations. The management system must cover all activities that could impact the policies and objectives (aligned to ISO 17025 purpose), otherwise, it defeats the purpose of the management system. The purpose of ISO 17025:2017 is to provide laboratories with the requirements to ensure competence, impartiality, and consistent operation. The purpose of the accreditation is to provide confidence in the operation of the laboratory. Beyond the overall requirements for common general activities,  only the tests on the scope of accreditation need to comply with all the mandatory technical competency requirements such as completed metrological traceability, validation, participation in interlaboratory studies.

Bear in mind that often an auditee will answer in a way that does not reflect the real situation. What is required in an audit is objective evidence against specific criteria. When a response is given verbally, best practice is to ask an open-ended question to get to the basis of that response. With your knowledge of ISO 17025:2017 and laboratory operations, ask yourself where the higher risk or deficiency lies and go deeper there. In this case, it means looking at the criteria for confidentiality (clause 4.1), data and information management (clause 7.11), and customer requirements (clause 5.4); not document control. As an auditor notes the document control observation/concern to tie in later with other observations. You can also note a concern in the apparent gap in the responder's knowledge of the requirements (consider if the person should know details or have an awareness, depending on responsibility).

Any situation where you are looking for evidence that the organization has established and is maintaining their management to the extent required (or not), consider the operational, standard, and regulatory needs. For example, ISO 17025 clause 8.2.5 states personnel must have access to information required. That said, in order to minimize risks, protect the confidentiality and safeguard impartiality, an organization should only make the minimum information available, and only to that personnel who need it do to their work. Take a risk approach to the audit, considering the context. There are four questions to ask which will lead you to the criteria for deeming compliance or not. Ask: 1. What is the organization required by law?2. What has been agreed with the customer?3. What are the mandatory ISO 17025 requirements?4. What has the laboratory documented as a procedure, meaning what have they stated they will do?

Stating the non-conformance finding clearly against specific criteria will assist the laboratory to close the significant gaps.

The following may be of interest, to compliment your approach:

• The Advisera whitepaper How to perform an internal audit using ISO 19011 available at https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011
• The ISO 17025 toolkit procedure for audits, is available at https://advisera.com/17025academy/documentation/internal-audit-procedure/, along with links to the five appendices related to the procedure. These include the Internal Audit Program, Internal Audit Checklist, Audit Nonconformity Report, Internal Audit Process Checklist, and Internal Audit Report.

Accreditation for 3D machines

First of all, there is no relationship or request with the 3D machine in the IATF 16949:2016 standard. I would like to state again that you cannot see the word 3D printer directly in any item of the IATF standard.

I will answer your question in 2 ways.

Firstly, if the company produces 3D printers and sells these machines to automotive customers, then the company that produces 3D must be ISO 9001: 2015 certified. Calibration may be required for 3D printing and machine maintenance must also be performed. The machine must be repaired in case of malfunction and the necessary spare parts must be provided.

Secondly, if the company producing automotive parts uses a 3D printing machine to design products and/or molds, item 8.3 of the IATF 16949: 2016 standard must be considered a product and process design and development.

In other words, part/mold technical drawings must be kept with revision numbers and history. FMEA’s (Design and/or Process) records related to the project must be created. Prototype part tests and results must be followed and documented. This topic is about a product or process design, not related to the 3D printer machine. Here, the 3D printer is in the auxiliary equipment position. It should be calibrated, routinely maintained, necessary spare parts must be kept, user trained, etc.

Information Security Incident or Business Continuity Disruption

If a customer has a business continuity disruption that affects the availability of information, must they log it as an InfoSec incident AND a BCMS Disruption?  How should they go about assessing which system to manage it under?

Implementar el ISO 9001 en una biblioteca universitaria

Lo primero que debe de hacer es contar con el apoyo de la dirección de la organización, en este caso la dirección d ela biblioteca, que será clave durante la implementación de ISO 9001:2015 ya que proporciona los recursos tanto económicos como de personal.

Después lo que puede hacer es un análisis GAP o de brecha, que le va a ayudar a identificar aquellos requisitos con los que ya cumple y aquellos con los que aún debe aún cumplir. Aquí puede llevar a cabo el análisis de forma gratuita: https://advisera.com/9001academy/iso-9001-gap-analysis-tool/

Luego debe conocer cada una de las cláusulas con las que tiene que cumplir para poder llevar a cabo el proyecto de implementación de ISO 9001. En este white paper puede encontrar información resumida sobre cada una de ellas - Clause by clause explanation of ISO 9001: https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015

Posteriormente puede escribir un plan de proyecto en el que de signa responsabilidades, define la documentación que va a escribirse, los plazos de implementación, etc. En este enlace puede descargarse una plantilla - Plan de Proyecto para la implementación de ISO 9001:https://info.advisera.com/9001academy/es/descarga-gratuita/plan-de-proyecto-para-la-implementacion-de-iso-9001-ms-word

Luego ya podría empezar con la implementación de la norma: la definición de la política de calidad, los objetivos de calidad y planes para llevarlos a cabo, el contexto de la organización y sus partes interesadas, el alcance del SGC, etc...hasta llegar a la auditoría interna y la revisión por la dirección, que sería el paso previo para certificarse. En este enlace puede descargarse un checklist para la implementación de la norma - Porject checklist for ISO 9001:2015: https://info.advisera.com/9001academy/free-download/project-checklist-for-iso-9001-2015-implementation

Estos materiales pueden ayudarle con la implementación de ISO 9001:2015:
- Libro – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Formación gratuita en línea – Fundamentos de ISO 9001:2015 : https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

ISO 13485 Lead Auditor

Thanks for your reply to my questions. I do appreciate it.