Search results

Filling document

Please, we need to know how we should fill out the document "A.14.1Specification of Information System Requirements", should this appendix or file be filled out for each information system that the client has "Plus Consultants"?

Please note that this template needs to be filled out for each information system you intend to acquire or change. In case there is no intention to change or acquire a system, there is no need to fill in this template for such a system.

ISO documents management (Delegation)

first: during implementation, the iso 22301 the CISO was assigned to be the BCM Manager with R&R under this title and he was the documents owner too. the project finished and after a while the CISO resigned, and we need to delegate someone on behalf of him.Q:---what are the needed changes should be done on these documents? document owner, add new title under rules and responsibilities.or the delegation letter from the top management for will cover this and no need to change the documents?

In case this new person will come to have the same job title defined in the documents, then only the delegation letter from the top management will be enough.

In case this new person will come to have a different job title as defined in the documents, then the documents will need to be updated to reflect the new job title of the responsible person.

Second: during implementation, the iso 27001 there was not an information security manager, the ISM is defined in Company structure with R&R under this title and they are going to hire one next year due to the small size company and he will be officially the A&R person for all documents and project.Q:---what are the needed changes should be done on these documents? ISMS Manager, add new title under rules and responsibilities.or the delegation letter from the top management for until hire the ISM will cover this and no need to change the documents?.

Thank you very much and I'm looking forward to hear back from you soon

Considering an ISM will be hired next year, then the best approach will be to temporarily delegate to someone in the company the role of the ISM. For example, in a small company, the CTO or the person responsible for the ISMS implementation can be designated temporarily as the ISM.

Mandatory documents or not

1 - According to my understanding of your answer these are not required to be documented as it does not specifically say so (see red text above). If a policy and an implementation is required as it is advised in A.10.1.1, shall I really understand it not to be required to be documented? 

Your understanding is correct. Unless the standard explicitly states that something needs to be documented, you do not need to develop a document.

2 - The documentation that I have purchased does not have templates for all requirements, for instance A.12.4-7. How come? Am I to understand it as A.12.1-3 are supposed to be documented (at least “if applicable) but A.12.4-7 are not?

Versus controls that has the word “documented” in them, as for instance A.12.1.1 Documented operation procedures – Control – Operating procedures shall be documented and made available to all users who need them.

shall be documented.

I am afraid that I am missing something here.

Please note that from section A.12, only control A.12.1.1 explicitly states that documentation needs to be developed. All other controls do not require policies or procedures to be documented. 

The toolkit is developed to cover all mandatory documents (e.g., Information Security Policy, ISMS scope, etc.), and the most frequent documents adopted by organizations, to not overwhelm them with the administrative effort to maintain documents. 

In case you identify any need to document a control for which there is no template available, you can use the blank template included in your tool kit to develop the document, and you can contact us to solve questions about the development or schedule a meeting so one of our experts can provide orientation on how to develop the documents. 

Risk and corrective action

A risk based approach is stated in clauses 7.10 Nonconforming work b) and 8.7.1 Corrective Action, b. In 8.7.1 e, and 8.7.2 the requirement is clearly specified that a laboratory must refer to the risk and opportunities in the register and take the degree of action according to the risk. i.e a high risk requires appropriate resources and action to reduce the risk to a level the laboratory identifies as appropriate.  The low risks could justified as not needing action.

Practically the laboratory must state your approach. E.g treat assign resources to reduce all high risks to an acceptable level, consider reducing medium risks if solutions and resources are readily available, while accepting any low risks without further action.

Start off with considering that you are never looking for a singular root cause to take one action to address a nonconforming event. You are seeking the best possible practical, executable solutions to implement, and then monitoring and reassessing the remaining risk.  Certain actions can be complicated, time consuming and expensive to implement while a combination of other actions may be less costly and quicker, while reducing risk of a reoccurring event to a suitable, but not “zero” level.

For more information have a look at the article Corrective actions principles and root cause analysis in ISO 17025 at https://advisera.com/17025academy/blog/2020/11/04/corrective-actions-principles-and-root-cause-analysis-in-iso-17025/

And the available toolkit https://advisera.com/17025academy/iso-17025-documentation-toolkit/

How to meet the MTBF objective?

I assume that MTBF means the mean time between failures.

I'm not an expert in maintenance, however, I will answer considering the MTBF as an indicator that we want to improve by increasing the mean time between failures. Thus, I would apply the classic quality tools. I would start with a Pareto chart with the reasons for failure. Then, for the most frequent reasons, I would perform a cause analysis using, for example, the cause-effect diagram to determine the root causes. Then I would develop actions to eliminate those root causes.

I recommend consulting the following materials:

• How to use quality control tools to improve your QMS https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/
• Free webinar - Measurement, Analysis, and Improvement According to ISO 9001:2015 https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar-on-demand/

• How to know if the clause 8.3 is applicable to an organisation?

  Does your organization design products or services?If your organization has a brand and sells products or services designed by it, then clause 8.3 is applicable. Also relevant for a decision is the scope of the QMS. Consider the case of an organization that designs products and also manufactures products designed by customers. The organization may decide that the QMS scope includes only the manufacturing products designed by the customers, and in that case, clause 8.3 is not applicable. The following material will provide you with more information about the non-applicability of a clause:

  • What clauses can be excluded from ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
  • Free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
  • Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• Supplier to a medical device company

  Yes, this requirement is mandatory for all companies that have implemented ISO 13485. But, of course, you will adapt it to your situation. This means that you will have as a part of the medical device file:

  a) a general description of the medical device, what is its purpose - how it is a part of the final medical device, how you label that device, and how it is implemented in the final medical device (if you know it)
  b) specifications for the product
  c) specifications or procedures for manufacturing, packaging, storage, handling, and distribution
  d) procedures for measuring and monitoring
  e) as appropriate, requirements for installation
  f) as appropriate, procedures for servicing.

  So, you will be concentrating only on your device, not the final medical device.

• Question about eBook

  Most changes in ISO 27001:2022 are related to Annex A, reorganizing controls from the 2013 version and adding 11 new controls. Contents of the ebook are still valid to help implement an ISMS ISO 27001 compliant.

  These materials will give you an understanding of the changes:

  • ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/
  • List of mandatory documents according to the ISO 27001 2022 revision https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-revision
  • Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/knowledgebase-category/iso-27001-implementation/
  • ISO 27001:2022 Transition Course https://advisera.com/training/iso-27001-transition-course/

  • How to implement ITIL in an organisation on a low maturity scale?

    Start with an initial assessment followed by a GAP analysis. That will give you the answer – what needs to be done.

    Once you have a scope of work, prioritize like explained in the articles

    • Considerations before ITIL implementation https://advisera.com/20000academy/blog/2014/05/21/considerations-itil-implementation/
    • Ready, steady… go – Starting ITIL implementation https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/

    Also consider implementing ITSM tool, because it will improve efficiency of the implementation, automate tasks and provide you with more control of the activities, tasks and teams/people.