Search results

IT and Riscs

Excellent answer i got it 

Becoming an ISO 9001 trainer

If you were in my country, I would advise you to:

• get a trainer certificate;
• and promote your expertise and experience as auditor as a basis for your skills as trainer. Find a way of documenting and giving credibility to your knowledge and preparation. Potential clients must be aware of your competence. About competence: Can you provide evidences of experience as auditor? Can you provide evidence of training as auditor? Can you provide evidence of certification as auditor and trainer to provide image and credibility?

Potential clients must be aware of your existence. You must develop your own brand by evidencing your knowledge and experience. You evidence your knowledge when you write. You should write. Share what you know, share your experience and results, share testimonies of your clients about the outcomes of working with you. Use blogs, professional networks, trade magazines, use your LinkedIn profile, make presentations at conferences. And don’t forget to develop a network of contacts.

The following material will provide you more information:

• How to sell your ISO 9001 consulting services - https://advisera.com/9001academy/blog/2017/06/20/how-to-sell-your-iso-9001-consulting-services/
• ISO 9001:2015 Foundations Training Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

How long we should retain measurement system records?

Measurement system records are technical records so the laboratory needs to comply specifcially with the requirements of ISO 17025 clauses 8.2 and 7.5.

The laboratory needs to establish what a suitable retention time is for different types of records, based on contractual and legal requirements.  The potential risk or impact to the laboratory should be evaluated if the period selected is too short, or even too long.  Consideration should be given to the medium  of the records as all requirements of ISO 17025 must be met during the retention period in terms of data confidentiality, security and integrity.  You need to considering both paper, scanned and electronic records. This also includes being able to “read” the record either with the human eye or a computer process, throughout the retention period,  i.e. format ands medium must be contemporaneous. Consider for example if there was a legal dispute over a result or report years down the line, the results would need to be traceable to legible (readable) measurement system records to verify validity of the reported results. 

It is interesting to note that most laboratories do not define the concept of archiving. By definition retention period is the period of time that records (documents) should be retained in their offices of origin or in records centres before they are transferred to an archive(s) <organization>  or otherwise disposed of  (SOURCE: ISO 5127:2017(en) Information and documentation - Foundation and vocabulary). In other wordsm to mitigate risk, a laboratory could consider keeping a particular hand written raw data record for say 6 months, then scanning it and retaining the electronic file with quick access by the laboratory say for 3 years. Thereafter it could be archived for a suitable period, before disposal. Costs need to be considered as a factor in the risk assessment too.

For further information, have a look at the ISO 17025 document template: Document and Record Control Procedure at https://advisera.com/17025academy/documentation/document-and-record-control-procedure/

For supporting information regarding actions to address risks and opportunities, see: 

• The ISO 17025 toolkit document template: Addressing Risks and Opportunities Procedure at  https://advisera.com/17025academy/documentation/addressing-risks-and-opportunities-procedure/
• The article Five-step laboratory risk management according to ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/12/05/iso-17025-risk-management-in-five-steps/
• The Free ISO17025 Academy webinar – How to manage risks in laboratories according to ISO 17025 at https://advisera.com/17025academy/webinar/iso-17025-risk-management-how-to-manage-it-free-webinar-on-demand/ 
   

Approval of documents

Yes, authorship and approval are not exclusive. The only criteria is that a chain of authority coming from top management gives someone the authority to approve a document.

The following material will provide you more information:

• ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Política ambiental en la ISO 14001

La principal diferencia entre la política de calidad de la norma ISO 9001 y la política ambiental de la norma ISO 14001 es el enfoque sistemático que ofrecen. En ISO 9001 el enfoque de la política está centrado en la calidad del producto o servicio y satisfacción del cliente, mientras que en ISO 14001 la política ambiental busca medir el impacto ambiental preservar el medio ambiente. 

Para más información sobre la política de calidad y de medio ambiente, vea los siguientes materiales: 

- How to write a good quality policy: https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/

- How to write an ISO 14001 environmental policy: https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-write-an-iso-14001-environmental-policy/

- Curso gratuito en línea - Fundamentos de ISO 9001:2015 -  https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

- Curso gratuito en línea - Fundamentos de ISO 14001:2015 - https://advisera.com/training/es/course/curso-fundamentos-iso-14001/

- Libro - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

- Libro - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/

Internal audit for clause 8.1

Auditing clause 8.1:

a) You will ask for specifications for products and services. Are they defined, approved and current?
b) 1) You will ask for a process control plan
b) 2) You will ask for a product or service quality control plan
c) You will ask for any definition of conditions or resources needed to meet product or service requirements. For example, materials and components to be used as raw materials, or requirements for subcontractors, or requirements for people – number and competences
d) You will ask for evidences of following and applying b)1) above
e) You can ask for a list about documents and records used in operations.

Audit also how changes are implemented and controlled and how subcontractors are controlled.

The following material will provide you more information:

• ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

BCP templates

The BCP templates from the Toolkit are compliant with ISO 22301 and are applicable to organizations of any industry (although our templates are designed for small and mid-sized organizations, up to 500 employees).

The templates provide the basic structure to build a business continuity plan, so they do not contain details about specific industries. The IT examples are used because most of our customers rely on Information Technology processes, but the examples can be extrapolated to any industry.

These articles will provide you a further explanation about elaborating BCPs (not only involving IT scenarios):

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

 These materials will also help you regarding elaborating BCPs:

• Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

ISO 27001 Maintenance Logs

ISO 27001 does not prescribe keeping maintenance logs.

The need to keep logs is defined by the results of risk assessment and applicable legal requirements, and also by the need to prove to auditors that security processes are being performed. These are the elements that will help you define which information must be logged, as well as the systems that must be logged.

These articles will provide you a further explanation about logging:

• Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
• Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

This material will also help you regarding logging:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Integrated systems

Since 2012 ISO management systems share many requirements (e.g., documents and records control, internal audit, management review, etc.), the individual documents for each system still are applicable, and they can be combined in single documents. For documents covering specifics of each standard (e.g., information security risk assessment and treatment, product planning), it is still better to keep them separately.

This article will provide you a further explanation about integrated ISO systems:

• Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
  - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

This material can also help you:

• ISO 27001 vs. ISO 9001 matrix (PDF) https://info.advisera.com/9001academy/free-download/iso-9001-2015-vs-iso-27001-2013-matrix

How to create item 4 of ISO 27001

I understand that you are referring to the list of legal requirements for ISO 27001.

Considering that, although the type of information to be gathered to fulfill requirements of section 4 (Organization Context) are basically the same for ISO 9001 to ISO 27001 (e.g., the requirement, responsible, due date, etc.), and by this, if the spreadsheet provided by your consultancy is compliant with ISO 9001, then it also complies with ISO 27001, the requirements for quality are very different from requirements for information security.

For example, for ISO 27001 the requirement would be to comply with LGPD, whereas for ISO 9001 the requirement would be to comply with some manufacturing-related regulation. So it would be better to list the legal, regulatory, and contractual requirements in separated documents for ISO 27001 and for ISO 9001.

To see how a document that lists the legal requirements for ISO 27001 looks like, I suggest you take a look at the free demo of  our List of Legal, Regulatory, Contractual and Other Requirements at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/

This article will provide you a further explanation about the identification of requirements:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/