Search results

Defining the Scope

You can define the scope of your ISMS as the data in the data center, but you need to state in the scope that this data is accessed by third-party, so this information can be used in the risk assessment and risk treatment process (from there you can define how to treat risks related to third-party accessing the data, normally by means of security clauses in contracts, agreements or terms of service).

These articles will provide you a further explanation about the scope definition supplier security:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

ISO 9001 and response time to customer complaints

ISO 9001:2015 does not define a response time to resolve customer complaints. What is expected is that complaints are resolved without undue delay. 
For example, I’m working as a consultant with a manufacturing company that was finally able to close a complaint after more than 3 months last month. They had to wait for lab test results that took a lot of time to be received.

The following material will provide you more information:

• ISO 9001 – Effective complaints management in a QMS - https://advisera.com/9001academy/blog/2014/09/16/effective-complaints-management-qms/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/ may be useful
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Organization structure chart

If by organization structure chart you mean a drawing representing authority relationship in an organization, you must be aware that ISO 9001:2015 has no requirement for the existence of an organization chart. Also, ISO 9001:2015 has no mandatory requirements for procedures. ISO 9001:2015 has no mandatory procedures. Please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

Auditing an organization requires checking evidences from reality against audit criteria. As audit criteria you will have ISO 9001:2015 requirements and any internal rules and procedures, written or not written according to clause 4.4.2.

You can start your audit preparation by asking the organization its mandatory documents and a list of internal rules or procedures. If the organization has nothing, perhaps it is best to perform a Gap Analysis instead of an internal audit.

You can find more information below:

• Gap analysis vs. internal audit in ISO 9001 - https://advisera.com/9001academy/blog/2015/02/17/gap-analysis-vs-internal-audit-iso-9001//
• Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
• How to create a checklist for an ISO 9001 internal audit for your QMS - https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/ 
• Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
• ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-lead-auditor-course/
• ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

Workplace hazards

The current pandemic illness that is affecting people world wide is certainly a hazard that needs to be taken into account in the hazard assessment for the processes in a company. As such it can be considered an OH&S hazard, and should be included in updated process controls for working processes.

You can learn more about the hierarchy of controls in the article: 5 levels of hazard controls in ISO 45001 and how they should be applied, https://advisera.com/45001academy/blog/2015/09/02/5-levels-of-hazard-controls-in-iso-45001-and-how-they-should-be-applied/

Linking ISO 45001 to data management

Since ISO 45001 aligns with all the other ISO management system documents you will find the same requirements for controlling documented information in clause 7.5. The requirements here give requirements for controlling procedures and records as well as archiving, and are the same as other standards such as ISO 9001 and ISO 14001. As such you can have one process for documentation control for all management system standards.

You can read more about the documentation requirements changes in the article: New approach to ISO 145001 documentation, https://advisera.com/45001academy/blog/2018/03/13/new-approach-to-iso-45001-documentation/

Confidentiality, Integrity, and Availability

Please note that ISO 27001 specifies that the CIA is related to risks (6.1.2 c 1), and to consequences (6.1.2 d 1), not to assets. Considering that, when using asset-based Risk Assessment, you need to consider the CIA on the asset-threat-vulnerability set, and to consequences related to it.

When you talk about a risk-based Risk Assessment approach, I'm assuming you are referring to the description of a risk scenario (scenario-based). In this case, the CIA must refer to the described scenario and related consequences, while that in a process-based Risk Assessment approach the CIA must refer to the defined process and related consequences.

For example:

• For asset-based:  paper document - fire - the document is not stored in a fire-proof cabinet (affects availability)
• For scenario-based: Data leak with impact on regulatory compliance occurring once every five years (affects confidentiality)
• For process-based: Payment process failure, resulting in people receiving wrong values (affects integrity)

For further information, see:

• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

Data to information

Some examples of data being converted to information can be:

Product quality control results after comparing them with specifications become conforming or non-conforming products.
Design and development verification results after comparing with specifications become conforming or non-conforming designs.

So, data is about facts related with something. Facts are neutral. Then, after comparing facts with some rules, they acquire meaning. They become data.

You can find more information below:

• Analysis of data obtained from Monitoring and Measurement - https://advisera.com/9001academy/blog/2014/04/22/analysis-data-obtained-monitoring-measurement/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

COVID -19 and ISO 9001 policy, processes and procedures

Normally, organizations do not make changes in policies and processes due to COVID-19. What I see is organizations making changes in procedures because they change the way they do some activities.

You can see more information below:

• Free webinar – How to perform an internal audit remotely - https://advisera.com/9001academy/webinar/remote-internal-audit-free-webinar-on-demand/
• Free webinar – How to use ISO 9001 to control operations during the pandemic - https://advisera.com/9001academy/webinar/how-to-use-iso-9001-to-control-operations-during-the-pandemic-free-webinar-on-demand/

Implementando la lista de verificación de códigos

Como implementaría la lista de verificación de códigos de documentos en una empresa?

Parameters for clean room

Cleanrooms are classified according to the cleanliness level of the air inside them. The cleanroom class is the level of cleanliness the room complies with, according to the quantity and size of particles per volume of air. 

All necessary information regarding cleanroom technology you can find in the following standards:

• ISO 14644-1:2015 Cleanrooms and associated controlled environments — Part 1: Classification of air cleanliness by particle concentration - This standard includes the cleanroom classes ISO 1, ISO 2, ISO 3, ISO 4, ISO 5, ISO 6, ISO 7, ISO 8 and ISO 9, with ISO 1 being the “cleanest” and ISO 9 the “dirtiest” class (but still cleaner than a regular room). The most common classes are ISO 7 and ISO 8.
• ISO 14644-2:2015 Cleanrooms and associated controlled environments — Part 2: Monitoring to provide evidence of cleanroom performance related to air cleanliness by particle concentration
• ISO 14644-3:2019 Cleanrooms and associated controlled environments — Part 3: Test methods