Search results

ISO 9001 Question

The auditor focused your attention in a particular problem, the non-conformity raised. Developing a corrective action means finding the root cause(s) and eliminate it/them.

First you have to expand your mind by answering to the question why. Why did this nonconformity occur?

A team can brainstorm a set of answers. The answers are hypothesis about what can be behind the non-conformity. Hypothesis are theories not the truth. Then, the most promising theories are selected, and information is collected, or tests are made to eliminate the wrong ones and keep the good ones. Now, we know what is behind the non-conformity, we know the root-cause(s). A root cause is something that has a strong impact in the occurrence of the non-conformity, and it is something that can be managed. It is time to develop a solution, something that will remove or reduce the frequency of the non-conformity. More than one solution may be available, normally one is chosen based on cost, or effectiveness, or easiness or resistance.

For example, during an audit a nonconformity was raised because there were no evidences of performance of a quality control during the night shift.

Why there was no control at the night shift?

Because people:

1. Don’t like to do quality control;
2. Think quality control is not their job function;
3. Have no time to do quality control;
4. Actually, do quality control, but they do not record the results;
5. Don’t know how to do quality control;
6. Did not know they are responsible for quality control; 

After some investigation. For example, what shifts missed the records? Who worked on those shifts? What kind of training did they had? You may realize that they never had training (hypothesis 5 and 2) because they were admitted in a rush to answer to a surge in orders.

In this article you can find an answer to the question about the difference between a major and a minor non-conformity - Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

The following material will provide you with information about root cause analysis:

• ISO 9001 – How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
• Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

ISO 9001 Successful Implementation

No, you do not need to memorize the standard for successful ISO9001 implementation. You study the standard and distill requirements to your processes and introduce or improve practices based on those requirements. People doing quality control do nor need to know that they are applying clause 8.6 and they treat non-conformities according to the standard without knowing that it is clause 8.7.

I think that the process approach can be a great help in doing this because it allows an organization to draw a model of how it works, a model that people can relate to. Then, it is easy to distribute ISO 9001 clauses over the model. The model stands as reference, it is what people know.

Please check this example:

The following material will provide you more information about the process approach:

• Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ - please check how training can be related with the process approach
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ - where I extensively use the process approach.
   

Update SoA

To update the SoA considering your stated scenario, you need to:

• update your risk assessment, to see if new unacceptable risks had arisen or current ones had changed
• review applicable legal requirements (e.g., laws, regulations, or contracts.), to see if new controls are now applicable
• adjust your risk treatment according to the updated unacceptable risks and applicable legal requirements

After approving the updated risk assessment and treatment you can update the SoA accordingly.

This article will provide you a further explanation about SoA:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

For common risks and safeguards related to working remotely, please read:

• Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home

Short way to get certified as ISO 27001 and 27002

First is important to note that only ISO 27001 is a certifiable standard. ISO 27002 is a support standard which provides guidance and recommendations for implementation of controls from ISO 27001 Annex A.

Considering that, in a general way, after getting support for the certification (through approval of an ISO 27001 certification project plan) and approval of the Procedure for Document and Record Control, you should consider these for implementation:

1. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
2. development of risk assessment and treatment methodology;
3. perform a risk assessment and define the risk treatment plan;
4. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
5. people training and awareness;
6. controls operation;
7. performance monitoring and measurement;
8. perform internal audit;
9. perform management critical review; and
10. address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you a further explanation about ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

To see how documents compliant with ISO 27001 looks like, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

As for the shortest way to get ISO 27001 certified, it would involve hiring a consultant, because this approach will rapidly provide the knowledge, expertise, and methods to implement the standard, although it is the most expensive approach.

Other approaches that can be adopted are implementing the standard using your own employees (the cheapest and longest way), and implementing the standard with a DIY approach and using external know-how (a mid-term approach).

These articles will provide you a further explanation about implementation approaches:

• 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
• 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/
• Do you really need a consultant for ISO 27001 / BS 25999 implementation? https://advisera.com/27001academy/blog/2011/12/06/do-you-really-need-a-consultant-for-iso-27001-bs-25999-implementation/

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/

ISO 14001 New Objectives within a small business

In environmental management systems I’m always going back to the list of significant environmental aspects and impacts to renew the list of environmental objectives. Also, I try to connect environmental objectives with business objectives. For example, if an organization competes based on price what significant environmental objectives can best contribute to reduce costs?

Please check this information below with more detailed answers:

• How to Use Good Environmental Objectives - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-use-good-environmental-objectives/
• Examples of ISO 14001 objectives based on the different company sizes - https://advisera.com/14001academy/blog/2019/10/22/iso-14001-objectives-examples-for-different-company-sizes/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISMS scope of a digital bank

You can define the scope in terms of only the part of the organization (i.e. the Database), but in general, for small and mid-sized business, the best approach is to include the entire organization in the ISMS scope, because the effort to separate the scope for such organizations may not be worthy.

These articles will provide you a further explanation about the scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

Patch Management Policy and Vulnerability Management Policy

Patch management and vulnerability management would be best covered in A.12.1 - Security Procedures for IT Department, located on folder 08 Annex A Security Controls >> A.12 Operations Security since it involves change management.

This article will provide you a further explanation:

• How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

ISMS scope of a digital bank

Você pode definir o escopo em termos de apenas uma parte da organização (ou seja, o Banco de Dados), mas em geral, para pequenas e médias empresas, a melhor abordagem é incluir toda a organização no escopo do SGSI, porque o esforço para separar o escopo para tais organizações pode não valer a pena.

Estes artigos fornecerão uma explicação adicional sobre a definição do escopo:

• Como definir o escopo do SGSI https://advisera.com/27001academy/pt-br/knowledgebase/como-definir-o-escopo-do-sgsi/
• Problemas com a definição do escopo da norma ISO 27001 https://advisera.com/27001academy/pt-br/blog/2010/12/21/problemas-com-a-definicao-do-escopo-da-norma-iso-27001/

Esses materiais também irão ajudá-lo com relação à definição do escopo:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

BCP implementation

Once you have identified the disruptive scenarios you have to handle, broadly speaking, the development of a continuity plan based on ISO 22301: 2012 requires the development of:

• incident response plans, with emergency actions to be performed right after the disruption being identified;
• continuity actions to bring activities back to the minimum agreed levels;
• recovery actions to bring activities back to normal operations.

These materials will provide you a further explanation about developing a continuity plan:

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
• How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
• Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

To see how a Business Continuity Plan compliant with ISO 22301 looks like, I suggest you see the free demo of our Business Continuity Plan at this link: https://advisera.com/27001academy/documentation/business-continuity-plan/