Search results

ISO 9001:2008 vs ISO 9001:2015 risk analysis

I recommend keep the old risks in the register and add the new risks. What must be updated is the columns in the register about, for example, probability, severity and result. If corrective actions were taken and were effective either probability was reduced or either severity was reduced or both.

You can find more information below:

• How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
• Free webinar on demand – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ - where I extensively use the process approach.
   

ISO 9001 sales metrics

I recommend organizations to see sales as a process in order to develop metrics.

For example, about the outputs:

• Sales revenue (total or per line of product/service)
• Number of complaints
• Number of clients lost
• Number of clients won
• Average price

For example, about the process:

• Rate of successful proposals
• Average time to proposal
   

You can find more information below:

• How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
• In this free webinar on demand you can find an invitation to develop and use relevant performance metrics for the business -
• Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Statement of Applicability

1 - My understanding of the SOA is that it lists the 114 controls of Annex A. An organization should select the controls that are ‘applicable’ to safeguard the assets that are in the scope of the organization's ISMS. Is this correct?

There is something I do not understand. The above makes sense if the SOA only applies to 1 asset (for example, a single business system). In this example, 112 out of 114 controls might be applicable. But what happens when you add more and more assets? The 2 controls that are not applicable for the first asset might be applicable for the other assets – eventually, you just end up saying that all 114 controls are applicable and therefore the SOA does not really have much value at this point?

When you add more assets, in fact, the number of applicable controls will increase, but from our experience with our customers, smaller companies are usually at ca 100 controls, while larger ones are usually above 110.

For example, for companies that use only Commercial off-the-shelf (COTS) software, there is no need to apply control A.9.4.5 Access control to program source code, because there wouldn't be source codes in the organization.

Please note that the Statement of Applicability purpose is not only to list the applicable controls, but also to provide justification for applicable controls (e.g., needed to treat risk, needed to fulfill a legal requirement, etc.), a justification for non-applicable controls, and the implementation status of the applicable controls. This information can be used to summarize an organization's approach to protect the information and to guide auditors during audits.

For further information, see:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2 - My other question is around risk assessments. If all 114 controls are applicable for a system, does that mean our risk assessment has to cover all 114 controls? Or would a better way be to do a ‘compliance assessment’ to verify which of the 114 controls are applicable and which of those controls are implemented and working effectively and then document the risks based on the control gaps?

 Please note that for ISO 27001 risks and requirements lead to controls applicability, not the other way around.

Considering that, you do not need to identify risks to justify the applicability of all 114 controls, only the controls that are relevant to your organization.

What you could do in the next regular risk review (e.g. in 6 or 12 months time) is to include the risks that you realized were missing from your existing risk assessment.

 This article will provide you a further explanation about risk assessment and risk treatment:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

This material will also help you regarding risk assessment and risk treatment:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

Assessment/Treatment Methodology

The list of legal, regulatory, and contractual or other requirements summarizes all requirements, interested parties, and responsible persons for complying with requirements that must be fulfilled by the ISMS.

An example of how to fill in the List of Legal, Regulatory, Contractual, and Other Requirements, is this scenario:

A customer has a service level agreement with your company which defines, on clause 32-b, that in case of a disruptive incident, access to information system ABC must be restored to at least 30% of normal capacity in no more than 24 hours. In this case, the person responsible for system ABC is responsible to ensure compliance of the system to this requirement. Then your document would be like this:

Interested party: Customer Jon
Requirement: Clause 32-b (recovering access to system ABC to at least 30% of normal capacity in no more than 24 hours)
Document: Service level agreement
Person responsible for compliance: System ABC administrator
Deadline: 24 hours after the occurrence of disruptive incident which makes access to system ABC unavailable

To see how a list of legal, regulatory and contractual or other requirements looks like, please take a look at the free demo of our List of Legal, Regulatory, Contractual and Other Requirements at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/

This article will provide you a further explanation about the list of requirements:

• How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

ISO 22301 Accreditation

 PECB does not require a specific set of courses or curriculum of study as part of the certification process, so self-study or third party training are optional. If you go for training, the completion of a recognized PECB course or program of study would be a better approach.

For further information, see: https://pecb.com/en/examination-rules-and-policies

Online internal audit

Thanks and noted but my query was related to online Internal Audit. Also i would like to inform in India one online external audit was performed. if you required, i can give you details. 

Surveillance audit

The surveillance audit will be used to verify that the quality management system is still working, and procedures are being used. Particular attention will be paid to verifying the actions taken to close any non-conformities raised during the certification audit. The records associated with the system review, internal audits, complaints, treatment of non-conformities and development of corrective actions will be audited. some processes will be audited at random to prove that the system continues to be followed.

You can find more information below:

• What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
• Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
• ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-lead-auditor-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 for companies vs individuals

Yes, ISO 9001:2015 is for organizations, not for individuals. If you want to be qualified in relation to ISO 9001:2015 you can look for courses where you can get a certificate.

You can find more information below:

• Quality Certification - https://advisera.com/9001academy/knowledgebase/quality-certification/
• ISO 9001 online training - https://advisera.com/training/iso-9001-courses/

Validation, Qualification, and Verification procedure

My first instinct was to recommend you check ISO 9000:2015 definitions, but then I realized that ISO 9000:2015 uses qualification and verification interchangeably. Verification is commonly used in design activities to name a set of activities done to confirm that specifications were met. Meeting specifications is not a guarantee that requirements for intended use are met, that is the topic of validation: confirmation that requirements for intended use are met. Now, about qualification I have doubts about what you want to mean with it. Perhaps, qualification is the state after a verification well succeeded.

You can find more information below:

• The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
• About conducting design and development reviews consider - ISO9001 Design Verification vs Design Validation - https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/
• ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Statutory and regulatory requirements

There is no universal answer, a specific answer for your own organization will depend on its organization chart and job descriptions. I see many maintenance departments being held responsible for fleet inspection management.

You can find more information on Statutory and regulatory requirements below:

• What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/
• How to include statutory and regulatory requirements in your QMS - https://advisera.com/9001academy/blog/2017/02/14/how-to-include-statutory-and-regulatory-requirements-in-your-qms/
• Free on-line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/