Search results

Creating a new manual when implementing ISO 17025

No, you do not need to create a totally new quality manual. The ISO 17025 Quality Manual serves to document the overall Lab Quality Management System, providing a way to reference and link all the requirements together in one place. Your laboratory can implement ISO 17025 according to Option B. You can use your already established ISO 9001:2015 quality management system (and manual) to demonstrate compliance with the requirements for ISO 17025 clauses 8.2 to 8.9. What is important is that processes must be implemented and maintained in a manner that supports and demonstrates the fulfilment of ISO 17025:2017 Clauses 4 to 7 for all your laboratory activities. This means that the way that the processes (8.2 to 8.9) were established, how they are performed, documented and controlled, must include the activities in Clauses 4 to 7. For example, your audit programme must be revised. You will start with a gap evaluation to determine what new processes you need to include, what mandatory documentation and records you need to “add-on” and include in your Quality Manual.

You can download a free Project Plan for ISO/IEC 17025 implementation from the ISO17025 Academy at  https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation to assist you; as well as preview the ISO 17025 Quality Manual at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

For more information on Option B, see the article Maintaining and improving quality management in laboratories according to ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/08/30/iso-17025-maintenance-and-improvement-in-laboratories/For more information on the relationship between ISO 9001 and ISO 17025, see the article ISO 17025 vs. ISO 9001 – Main differences and similarities at https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities/

Security levels to have in the company

First, it is important to note that ISO 27001 does not prescribe levels of security, only that the information is adequately protected.

In this context, what generally occurs is the definition of information classification levels (eg public, restricted, and confidential), which require an increasing order of resources as the classification of information increases. The specific resources to be used will depend on the outcome of the risk assessment and applicable legal requirements.

For more information, see:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

As you mentioned initial, medium and advanced levels, I understand that it is also worth mentioning process maturity, which is also not required by the standard, but which can help in the implementation of the information security management system.

For more information, see:

• Achieving continual improvement through the use of maturity models https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/

Defining Scope

The definition of scope depends primarily on the information you want to protect (e.g., customer information, R&D information, financial information, all information, etc.). Based on the information you want to protect you can identify locations, processes, or business units where this information is stored, processed, or flows through to include in your scope.

For example, if you want to protect customer information only, the processes related to cloud management services should be in the ISMS scope.

These articles will provide you a further explanation about scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

Information security in project management

Thanks very much Rhand!

ISO 27001 Lead Auditor course

Both certifications are good and complement each other for a person looking for a career in information security because they offer different perspectives about how information interacts with the business.

ISO 27001 lead auditor focus on auditing information security management. CISA goes beyond auditing the scope of information security, and also consider the audit of strategic relationships between information security and the information systems and business objectives. 

This article will provide you a further explanation about CISA and ISO 27001:

• CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/

This material will also help you regarding ISO 27001 Lead Auditor:

• ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
• Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

Integrated implementation of ISO/IEC 27001:2018, ISO 9001:2015 and ISO 22301:2012

 ISO 22301, ISO 27001, and ISO 9001 shares many common requirements:

• document control
• internal audit
• management review
• non-conformities and corrective actions

These shared requirements allow an organization to save time and effort when integrating ISO management standards, because you will only have to make minimal adjustments to ensure compliance with common requirements, and you have more time to focus on the specifics of each standard.

Additionally, ISO 27001controls which requires the implementation of business continuity capabilities also can make use of ISO 22301 practices to fulfill these requirements. Of course, to implement ISO 9001 you may also require business continuity capabilities, and it also can benefit from ISO 22301 practices.

This article will provide you a further explanation about integrated systems:

• How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

This material will also help you regarding an example of integrating systems:

• ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

Security levels to have in the company

Primeiro é importante notar que a ISO 27001 não prescreve níveis de segurança, apenas que a informação seja adequadamente protegida.

Neste contexto, o que geralmente ocorre é a definição de níveis de classificação da informação (Ex.: pública, restrita e confidencial), os quais requerem uma ordem crescente de recursos a medida em que a classificação da informação cresce. Os recursos específicos a serem usados dependerão do resultado do levantamento de riscos e dos requisitos legais aplicáveis.

Para mais informações, veja:

• Classificação da Informação de acordo com a ISO 27001 https://advisera.com/27001academy/pt-br/blog/2014/05/14/classificacao-da-informacao-de-acordo-com-a-iso-27001/

Como você mencionou níveis inicial, médio e avançado, entendo que também vale mencionar maturidade de processos, que também não é requerido pela norma, mas que pode ajudar na implementação do sistema de gestão da segurança da informação.

Para mais informações, veja:

• Atingindo a melhoria continua através do uso de modelos de maturidade https://advisera.com/27001academy/pt-br/blog/2015/04/14/atingindo-a-melhoria-continua-atraves-do-uso-de-modelos-de-maturidade/

BCP Framework following ISO 22301

According to ISO 22301, a Business Continuity Plan must contain:

• Purpose, scope, and users
• Reference documents
• Assumptions
• Roles and responsibilities
• Key contacts
• Plan activation and deactivation
• Communication plan
• Incident response
• Physical sites and transportation
• Order of recovery for activities
• Recovery plans for activities
• Disaster recovery plan
• Required resources
• Restoring and resuming activities from temporary measures

To see how a BCP compliant with ISO 22301 looks like, please access the free demo in this link: https://advisera.com/27001academy/documentation/business-continuity-plan/

This article will provide you a further explanation about BCP content:

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

This material will also help you regarding BCP content:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Inlininig procedure for CAPA

This means that, when you detect a nonconformity, first you need to eliminate it, then you need to plan how you will eliminate the cause of this nonconformity. So you need to find out what is the cause of that nonconformity and find out with what actions this cause will be eliminated. When you know your actions, then you need to plan them and document them. If the action requires a change in your documentation, then you should also need to make a change in the proper documentation. Usually, there is a form that covers all elements for properly solving the nonconformity.

Here is the link to the preview of the request form from our ISO 13485:2016 Documentation toolkit:

• Corrective/Preventive Action Request https://advisera.com/13485academy/documentation/correctivepreventive-action-request-iso-13485-2016/

For more information on how to solve corrective action, please see the following articles:

• ISO 13485 continual improvement: Seven-step process for corrective and preventive actions - https://advisera.com/13485academy/knowledgebase/iso-13485-continual-improvement-seven-step-process-for-corrective-and-preventive-actions/
• Seven Steps for Corrective and Preventive Actions to support Continual Improvement https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/
• How to proceed once a QMS corrective action is defined? https://advisera.com/9001academy/blog/2016/09/20/how-to-proceed-once-qms-corrective-action-is-defined/

In our ISO 13485:2016 Documentation toolkit, you can also see Procedure for corrective action:

• Procedure for Corrective and Preventive Action https://advisera.com/13485academy/documentation/procedure-for-corrective-and-preventive-action-iso-13485-2016/

• Documenting processes

  Put a sheet of scenery paper affixed to a wall. Then, bring together a diverse team of people who as a whole know the company from different perspectives. On one end of the paper put a sticky note saying, "Customer in need" and on the other end put another sticky note saying "Customer served". Then, in a collaborative brainstorming session use sticky notes to describe what happens from "Customer in need" until "Customer served". Follow a rule: each sticky note has a verb + a noun. For example: Receive order; Check order; Confirm order; ...

  When you feel you have already listed the essential activities, try to group them into what will be the organization's processes.

  This technique is described in this free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/

  In my example we get this global process map:

  

  Then, for each process, based on the individual sticky notes you can draw a flowchart:

  

  Then, for each process, you can apply the risk-based approach and determine steps that need to be improved, either by changing practices, either by introducing SOPs, or either by introducing new controls.

  Please find an example from the above webinar here:

  

  The following material will provide you more information about the process approach:

  • In this free webinar on demand you can find the basis for determining process control plans - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • I base this book on the process approach - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/