Search results

Remote audits in context of COVID-19

Please consider this free webinar on demand about - How to perform an internal audit remotely - https://advisera.com/9001academy/webinar/remote-internal-audit-free-webinar-on-demand/

About ISO 19011:2018 please consider this, ISO 19011:2018 mentions the possibility of using remote audits and virtual audits. There is an important remark: Performing remote audits can depend on the kind of risk to achieving the audit objectives, the level of confidence between auditor and auditee’s personnel and any regulatory requirements. Please check ISO 19011:2018 Annex A.1 Applying audit methods. See also Annex A.15 Visiting the auditee’s location and Annex A.16 Auditing virtual activities and locations.

Deciding when and how to use remote auditing techniques depends on the audit objectives, scope and criteria, the available technology, the competency of the auditee and auditor to use the technology, and the type of audit evidence that needs to be gathered. The key question is whether the remote auditing techniques allow you to meet your audit objectives, while benefitting the audit process, or whether the use of remote auditing techniques could be a disadvantage to your audit.

The following material will provide you more information:

• What are the benefits and barriers when performing remote audits? - https://advisera.com/articles/what-are-benefits-and-barriers-when-performing-remote-audits/
• Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ (includes a slide about developing checklist questions)
• ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

ISO 9001 - Certification of a nonprofit association

A nonprofit association having all its services and support outsourced. Do you mean even top management? Do you mean even promotion of fundraising and contacting activities with benefactors? Who represents the nonprofit association? Who decides about outsources and contracts?

If you have at least one person acting as top management, you can certify that nonprofit association.

The following material will provide you more information:

• Implementing ISO 9001 in a nonprofit organization - https://advisera.com/9001academy/blog/2019/09/03/iso-9001-for-nonprofits-benefits-of-implementation/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 and calibration

If your radius gauges are used to verify the conformity of products and services to requirements they must be calibrated. If your radius gauges need to be calibrated your organization can analyze previous calibration results and evaluate the possibility of increasing the time interval between calibrations. Yearly calibrations are not the only frequency.

The following material will provide you more information:

• Monitoring and Measurement Equipment Control - https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

Who should be the asset owner

1 . A user of a laptop or computer - does the assets need to be listed separately with the individual user?

ISO 27001 does no prescribe who to define asset ownership, so organizations can define it as best suits them.

In a general way, you do not need to list laptops and computers separately with individual users, because in most cases they all share the same risk. It is sufficient to list a single asset (e.g., laptop or computer), and for this asset designate a generic owner (e.g., user). Only in cases you have a specific risk you should include specific assets and owners (e.g., "finance laptop" for the asset, and "CFO" for user).

2. If yes then every user would need to be presented as a group or individually to offer feedback of risks that they feel in individual to them for that asset? Correct? Would be interested in any feedback. Thanks

For generic assets as a "laptop", you should list at least the most seasoned personnel in the organization and the key users (there is no need to list all people that have a laptop), so you can gather good feedback without much effort. For individual assets as "finance laptop," you should list the person responsible for it

This article will provide you a further explanation about asset register and risk assessment:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk assessment:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Change management process

Provided that your organization does not have relevant risks or legal requirements (e.g., laws, regulations, or contracts) that require the implementation of change management, it is possible to be certified against ISO 27001 without implementing this control.

These articles will provide you a further explanation about the definition of controls and change management:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

ISO 22301 certification process

Your assumption is correct. The scope of ISO 22301 can be all organization or specific services, processes, business units, or locations.

As for the scope for the first certification process, in case you are a small or mid-sized business, up to 500 employees, with only a single location, the best approach is to certify the whole organization (in such cases, the effort to keep the scope separated is not worthy).

In other cases, you should consider your business objectives and the most relevant services.

These articles will provide you a further explanation about the scope definition (they are about ISO 27001, but the same concept applies to ISO 22301):

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

This material will also help you regarding ISO 22301:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

ISO 27001 and SOC1

SOC 1 deals with controls at a service organization’s Internal controls over financial reporting systems, and ISO 27001 is an international standard for information security, with requirements for the implementation of an Information Security Management System (ISMS), and information security controls and information security controls objectives to help protect information.

Considering that, ISO 27001 can be used to implement some of the controls defined by SOC 1, but they do not have a direct relation, neither one is required to implement the other.

This article will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Scoping for ISO 27001

The internal network itself cannot be defined as the ISMS scope. Since the ISMS scope can be defined in terms of locations, business units, or processes, the recommended approach for your case is to define the ISMS scope in terms of the business units, or processes that manage the services and systems on this internal network.

For example: "The ISMS scope are the processes/business units related to the management and operation of the following services/systems: <describe the services/systems in this internal network>"

Policy structure and documentation

ISO 27001 does not prescribe a way to document a policy, so organizations can do it as best it fits them, provided the documents to fulfill the standard's requirements (cause 7.5 - Documented information).

If you want to see how documents compliant with ISO 27001 looks like, I suggest you take a look at the free demo of our Mobile Device and Teleworking Policy at this link: https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/

These articles will provide you a further explanation about developing documents:

• How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/
• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

This material will also help you regarding developing documents:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Creating a new manual when implementing ISO 17025

No, you do not need to create a totally new quality manual. The ISO 17025 Quality Manual serves to document the overall Lab Quality Management System, providing a way to reference and link all the requirements together in one place. Your laboratory can implement ISO 17025 according to Option B. You can use your already established ISO 9001:2015 quality management system (and manual) to demonstrate compliance with the requirements for ISO 17025 clauses 8.2 to 8.9. What is important is that processes must be implemented and maintained in a manner that supports and demonstrates the fulfilment of ISO 17025:2017 Clauses 4 to 7 for all your laboratory activities. This means that the way that the processes (8.2 to 8.9) were established, how they are performed, documented and controlled, must include the activities in Clauses 4 to 7. For example, your audit programme must be revised. You will start with a gap evaluation to determine what new processes you need to include, what mandatory documentation and records you need to “add-on” and include in your Quality Manual.

You can download a free Project Plan for ISO/IEC 17025 implementation from the ISO17025 Academy at  https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation to assist you; as well as preview the ISO 17025 Quality Manual at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

For more information on Option B, see the article Maintaining and improving quality management in laboratories according to ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/08/30/iso-17025-maintenance-and-improvement-in-laboratories/For more information on the relationship between ISO 9001 and ISO 17025, see the article ISO 17025 vs. ISO 9001 – Main differences and similarities at https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities/