Search results

Integrated implementation of ISO/IEC 27001:2018, ISO 9001:2015 and ISO 22301:2012

 ISO 22301, ISO 27001, and ISO 9001 shares many common requirements:

• document control
• internal audit
• management review
• non-conformities and corrective actions

These shared requirements allow an organization to save time and effort when integrating ISO management standards, because you will only have to make minimal adjustments to ensure compliance with common requirements, and you have more time to focus on the specifics of each standard.

Additionally, ISO 27001controls which requires the implementation of business continuity capabilities also can make use of ISO 22301 practices to fulfill these requirements. Of course, to implement ISO 9001 you may also require business continuity capabilities, and it also can benefit from ISO 22301 practices.

This article will provide you a further explanation about integrated systems:

• How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

This material will also help you regarding an example of integrating systems:

• ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

Security levels to have in the company

Primeiro é importante notar que a ISO 27001 não prescreve níveis de segurança, apenas que a informação seja adequadamente protegida.

Neste contexto, o que geralmente ocorre é a definição de níveis de classificação da informação (Ex.: pública, restrita e confidencial), os quais requerem uma ordem crescente de recursos a medida em que a classificação da informação cresce. Os recursos específicos a serem usados dependerão do resultado do levantamento de riscos e dos requisitos legais aplicáveis.

Para mais informações, veja:

• Classificação da Informação de acordo com a ISO 27001 https://advisera.com/27001academy/pt-br/blog/2014/05/14/classificacao-da-informacao-de-acordo-com-a-iso-27001/

Como você mencionou níveis inicial, médio e avançado, entendo que também vale mencionar maturidade de processos, que também não é requerido pela norma, mas que pode ajudar na implementação do sistema de gestão da segurança da informação.

Para mais informações, veja:

• Atingindo a melhoria continua através do uso de modelos de maturidade https://advisera.com/27001academy/pt-br/blog/2015/04/14/atingindo-a-melhoria-continua-atraves-do-uso-de-modelos-de-maturidade/

BCP Framework following ISO 22301

According to ISO 22301, a Business Continuity Plan must contain:

• Purpose, scope, and users
• Reference documents
• Assumptions
• Roles and responsibilities
• Key contacts
• Plan activation and deactivation
• Communication plan
• Incident response
• Physical sites and transportation
• Order of recovery for activities
• Recovery plans for activities
• Disaster recovery plan
• Required resources
• Restoring and resuming activities from temporary measures

To see how a BCP compliant with ISO 22301 looks like, please access the free demo in this link: https://advisera.com/27001academy/documentation/business-continuity-plan/

This article will provide you a further explanation about BCP content:

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

This material will also help you regarding BCP content:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Inlininig procedure for CAPA

This means that, when you detect a nonconformity, first you need to eliminate it, then you need to plan how you will eliminate the cause of this nonconformity. So you need to find out what is the cause of that nonconformity and find out with what actions this cause will be eliminated. When you know your actions, then you need to plan them and document them. If the action requires a change in your documentation, then you should also need to make a change in the proper documentation. Usually, there is a form that covers all elements for properly solving the nonconformity.

Here is the link to the preview of the request form from our ISO 13485:2016 Documentation toolkit:

• Corrective/Preventive Action Request https://advisera.com/13485academy/documentation/correctivepreventive-action-request-iso-13485-2016/

For more information on how to solve corrective action, please see the following articles:

• ISO 13485 continual improvement: Seven-step process for corrective and preventive actions - https://advisera.com/13485academy/knowledgebase/iso-13485-continual-improvement-seven-step-process-for-corrective-and-preventive-actions/
• Seven Steps for Corrective and Preventive Actions to support Continual Improvement https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/
• How to proceed once a QMS corrective action is defined? https://advisera.com/9001academy/blog/2016/09/20/how-to-proceed-once-qms-corrective-action-is-defined/

In our ISO 13485:2016 Documentation toolkit, you can also see Procedure for corrective action:

• Procedure for Corrective and Preventive Action https://advisera.com/13485academy/documentation/procedure-for-corrective-and-preventive-action-iso-13485-2016/

• Documenting processes

  Put a sheet of scenery paper affixed to a wall. Then, bring together a diverse team of people who as a whole know the company from different perspectives. On one end of the paper put a sticky note saying, "Customer in need" and on the other end put another sticky note saying "Customer served". Then, in a collaborative brainstorming session use sticky notes to describe what happens from "Customer in need" until "Customer served". Follow a rule: each sticky note has a verb + a noun. For example: Receive order; Check order; Confirm order; ...

  When you feel you have already listed the essential activities, try to group them into what will be the organization's processes.

  This technique is described in this free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/

  In my example we get this global process map:

  

  Then, for each process, based on the individual sticky notes you can draw a flowchart:

  

  Then, for each process, you can apply the risk-based approach and determine steps that need to be improved, either by changing practices, either by introducing SOPs, or either by introducing new controls.

  Please find an example from the above webinar here:

  

  The following material will provide you more information about the process approach:

  • In this free webinar on demand you can find the basis for determining process control plans - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • I base this book on the process approach - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• Lab requirements for counting plates

  From your question, I assume you are asking specifically what facility and environmental conditions are required for a microbiological laboratory, in terms of ISO 17025 accreditation. As you asked about the room, I will respond with a few requirements related to facilities and environmental conditions, clause 6.3 of ISO 17025:2017. The requirement is that facilities and environmental conditions must be suitable, documented, controlled, monitored, recorded and periodically reviewed. To determine what is suitable for your laboratory, you will need to look at the activities that will take place in the “room” and what regulatory requirements are required, i.e. the context.  

  Remember ISO 17025 is a guideline to assist you achieve competency, impartiality and consistent operations.  The facilities and controls necessary will depend on the type of testing being performed. You will need to do a risk assessment to identify the controls necessary, by considering anything that could lead to a deviation from meeting regulatory and quality requirements. For example high risk micro-organisms may require a negative pressurised room.  Address issues such as hygiene and cleaning protocols, access control, structural layout to provide for separation of activities, as well as equipment needed to minimise cross-contamination  - type of surfaces, ventilation, and suitable class of biosafety cabinets. Facilities should include suitable disposal of waste and sterilisation of materials.

  For further information see the following:
  The article What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
  ISO 17025 toolkit Facilities and Environmental Condition Procedure at https://advisera.com/17025academy/documentation/facilities-and-environmental-condition-procedure/

  The article Five-step laboratory risk management according to ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/12/05/iso-17025-risk-management-in-five-steps/
  The webinar How to manage risks in laboratories according to ISO 17025 at https://advisera.com/17025academy/webinar/iso-17025-risk-management-how-to-manage-it-free-webinar-on-demand/

• Starting a company with ISO 9001 Lead Auditor certification

  Yes, we have an ISO 9001:2015 Lead Auditor Course. I believe you mean to start a consulting company, to help organizations implement a quality management system and get certification. If that is the case the Lead Auditor Course can help you demonstrate knowledge and competence. Perhaps our ISO 9001:2015 Lead Implementer Course could be useful. Please check this article about how our list of courses can help professionals in their journey - How to choose the most appropriate training - https://advisera.com/training/compare/

  The following material will provide you more information about consulting:

  • How to become an ISO 9001 consultant - https://advisera.com/9001academy/blog/2016/11/15/how-to-become-an-iso-9001-consultant/
  • How to sell your ISO 9001 consulting services - https://advisera.com/9001academy/blog/2017/06/20/how-to-sell-your-iso-9001-consulting-services/
     

• Software as Medical Device

  For classification of the software to be a medical device, please see Rule 11 from Medical device regulation MDR 2017/745 here:

  • EU MDR Annex 8 – Classification rules https://advisera.com/13485academy/mdr/classification-rules/
  Software intended to provide information which is used to make decisions with diagnosis or therapeutic purposes is classified as class IIa, except if such decisions have an impact that may cause:

  death or an irreversible deterioration of a person’s state of health, in which case it is in class III; ora serious deterioration of a person’s state of health or surgical intervention, in which case it is classified as class IIb.Software intended to monitor physiological processes is classified as class IIa, except if it is intended for monitoring of vital physiological parameters, where the nature of variations of those parameters is such that it could result in immediate danger to the patient, in which case it is classified as class IIb.

  All other software is classified as class I.

  Manufacturers of a medical device must have implemented ISO 13485:2016.

  More information about this standard you can find on the following links:

  • What is ISO 13485? - https://advisera.com/13485academy/what-is-iso-13485/
  • Clause-by-clause explanation of ISO 13485:2016 - https://info.advisera.com/13485academy/free-download/clause-by-clause-explanation-of-iso-13485
  • Checklist of ISO 13485 implementation and certification steps - https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
  • Free webinar on demand: A how-to guide for ISO 13485 implementation - https://advisera.com/13485academy/webinar/a-how-to-guide-for-iso-13485-implementation-free-webinar-on-demand/

  • Health, safety and EMS in a construction company

    As ISO 14001 and Iso 45001 are written to be used by any industry, the process of implementation is the same for construction, the main difference is that the environmental aspects (interactions with the environment), OH&S hazards and legal requirements will be different. Start each implementation off with management support, and ensure that you implement each part of the standards. You can see the implementation process for ISO 14001 here (ISO 14001:2015 Implementation diagram, https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram) and ISO 45001 here (Diagram of ISO 45001 Implementation Process, https://info.advisera.com/45001academy/free-download/diagram-of-iso-45001-implementation-process).

    If you are implementing both ISO 14001 and Iso 45001, it might be helpful to see our whitepaper on integrating management systems; How to integrate ISO 9001, ISO 14001 and ISO 45001, https://info.advisera.com/9001academy/free-download/how-to-integrate-iso-9001-iso-14001-and-iso-45001

  • ISO 14001 certification at corporate level

    Yes, it is possible to certify your EMS at the corporate level. If an organization has more than one location, the scope should include the activities or processes involved, the products or services considered, and the name and addresses of each location. Each location has to comply with legal and regulatory requirements applicable to its own location.

    You can find more information in the following links:

    • Although from ISO 9001 this article can be useful - Certifying different legal entities under one certification scope in ISO 9001 - https://advisera.com/9001academy/blog/2018/03/27/certifying-different-legal-entities-under-one-certification-scope-in-iso-9001/
    • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/