Search results

ISO 27001 implementation

Main challenges related to ISO 27001 implementation are:

• Lack of management support: without this support, you won't have the minimal resources and engagement to implement the required controls.
• Not using a project management approach: such implementation involves coordinating several people to perform dozens of activities, and without a methodology, you will finish inside a huge mess with no security at all.
• Lack of time for the implementation project: The project can be very important, but normally, there are a lot of urgent things happening that postpone the project.
• ISMS scope wrongly defined: not protecting information that really matters.
• Documentation: Procedures excess or lack of details may compromise operations.

This article will provide you additional information:

• The 3 key challenges of ISO 27001 implementation for SMEs https://advisera.com/27001academy/blog/2017/04/17/the-3-key-challenges-of-iso-27001-implementation-for-smes/

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Risk Statements

Please note that vulnerabilities are weaknesses related to an asset and they do not cause threats, they are exploited by them. Considering that, your proposed structure should be:

Threat (that has an effect on vulnerabilities) exploits a vulnerability, resulting in a business consequence.

Considering an asset-threat-vulnerability approach, your statement would be:

"Information system's" (asset) "breach of maintainability" (threat) due to "insufficient maintenance installation of storage media" (vulnerability). This may lead to XWY (consequence).

This article will provide you a further explanation about risk statement:

• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk statement:

• Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Quality assurance in medical education

Unfortunately, that is a very specific topic and we do not have any samples applicable to a quality assurance agency for medical education.

Perhaps this article could be useful, although it presents a general approach - Some tips to make Control of Records more useful for your QMS - https://advisera.com/9001academy/blog/2014/01/28/tips-make-control-records-useful-qms/

You can find more information in the following links:

• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Procedure for Document and Record Control - https://advisera.com/9001academy/documentation/procedure-document-record-control/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
   

Training and Development Program

Crafting a Training and Development Program can be based on the process approach, organizational knowledge and competence.

With the process approach you relate people, functions and activities. With organizational knowledge you relate functions with competence requirements. With competence you design Training and Development Program to close any competence gaps.

You can find more information in the following links:

• Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
• How to manage knowledge of the organization according to ISO 9001 - https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
• Using Competence, Training and Awareness to Replace Documentation in your QMS - https://advisera.com/9001academy/blog/2013/12/17/using-competence-training-awareness-replace-documentation-qms/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Continual review

While ISO 45001 does not talk about continual review, apart from the requirements for management review, the awareness requirements in clause 7.3 and communication requirements in clause 7.4 do provide a framework on what should be known by employees as well as the need for internal communication. Of course, the requirements for participation and consultation (clause 5.4) will also help with this on an ongoing basis.

As for a best practice for this activity, there are many things that can be used. Having OH&S information boards to share necessary information, having worker representatives for different worker groups who advise on OH&S in the workplace, and even routine workplace meetings that focus on health & safety.

You can learn more about the participation and consultation requirements in the article: How to meet participation and consultation requirements in ISO 45001, https://advisera.com/45001academy/blog/2016/03/16/how-to-meet-participation-and-consultation-requirements-in-iso-45001/

ISO 9001 in a service industry

The main purpose of a quality management system (QMS) is consistently meeting customer requirements and enhancing their satisfaction. The process approach is one of the eight quality management principles upon which ISO 9001:2015 is based. According to this principle, a desired result is achieved more efficiently when activities and related resources are managed as a process. So, ISO 9001:2015 invites organizations to see themselves as a system of interacting processes. One can say that the QMS is that collection of processes.

I like to use the process approach as a way of modeling how an organization works. For example, the main processes for a service providing organization can be around something like:

If your organization has other relevant interested parties you can add other processes for those other interactions

All organizations are different, so there is no universal set of processes. Each organization should design the set of interrelated processes that bests suits the purpose.

Once designed the model of how your organization works it is easy to relate each process to ISO 9001:2015 clauses. For example: the process above “Schedule the service” is mainly about clauses 8.2 and 8.5.1; the process “Purchase material or service” is about clause 8.4 and the process “Report the service” could be about clause 8.6 or 9.1.2.

Once designed the model of how your organization works it is easier to start planning the implementation.

Please check in this free webinar on demand how the set of processes can be determined and the process approach can be used - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/

You can find more information about the process approach in the following links:

• Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Free ISO 9001:2015 Gap Analysis Tool -https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (where I use the process approach as the basis for a QMS, unfortunately without an example from services)

Difference between the Risk management parts in the Toolkits

1. What is the difference between the Risk management parts (06) of ISO_13485_MDR_Integrated_Consultant_WL_Toolkit_Preview_EN and ISO_13485_MDR_Integrated_Documentation_Toolkit_Preview_EN?

There are no differences in the text of the document itself. The document is the same. The difference is that Consultant documents are "white-labeled" signs - do not have Advisera tags and whoever buys a consultant toolkit can use it for their clients. While "ordinary" documents/toolkits in accordance with Advisera's policy cannot be used to implement standards with the client.

2. And do I nee also the risk parts (6) of ISO_13485_Documentation_Toolkit_Preview_EN?

Yes, you do need this part. According to requirement 7.1 Planning the production, Risk management is a vital element of the ISO 13485:2016. This risk management is prepared according to the ISO 14971:2019 Medical devices - Application of risk management to medical devices - which is the only risk management standard from the list of harmonized standards: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2020:090I:TOC

Following article can make a better explanation:

• How to use ISO 14971 to manage risks for medical devices - https://advisera.com/13485academy/blog/2017/09/21/how-to-use-iso-14971-to-manage-risks-for-medical-devices/

• SAMA and ISO 27K: common control

  I'm understanding that by SAMA you mean Saudi Arabian Monetary Authority.

  Considering that, the 2017 version of SAMA Cyber Security Framework is based on industry cybersecurity standards, such as NIST, ISF, ISO, BASEL, and PCI.

  Unfortunately, we do not know SAMA CSF deeply enough to provide you detailed information about common controls. What we can tell broadly is the relation about domains:

  • Cyber Security Leadership and Governance is related to ISO 27001 clauses 4 (Context of Organization), 5 (Leadership), 7.2 (Competence), and 7.3 (Awareness), and controls from Annex A sections A.6.1 (Internal organization) and A.7.2 (During employment)
  • Cyber Security Risk Management and Compliance is related to ISO 27001 clauses 6.1.2 (Information security risk assessment), 6.1.3 (Information security risk treatment), 8.2 (Information security risk assessment), 8.3 (Information security risk treatment), 9.2 (Internal audit), 9.3 (Management review), and controls from Annex A section A.18 (Compliance)
  • Cyber Security Operations and Technology is related to ISO 27001 Annex A sections A.8 (Asset management) to A.16 (Information security incident management)
  • Third Party Cyber Security is related to ISO 27001 Annex A sections A.15 (Supplier relationships) and A.17 (Information security aspects of business continuity management)

• A.11 Domain Requirements List

  Please note that ISO 27001 standard is an intellectual property of the International Organization for Standardization, and listing the specific requirements here would be a violation of those rights. You can buy the standard at this link: https://www.iso.org/standard/54534.html

  Broadly speaking, controls from section A.11 aims to protect information by protecting facilities (A.11.1 - Secure areas, with 6 controls), and equipment (A.11.2 - Equipment, with 9 controls). The selection of controls, and how to implement them, will depend on the results of risk assessment and applicable legal requirements. For support in the implementation, you can consider ISO 27002, a supporting standard which provides guidance and orientation in the implementation of controls from ISO 27001 Annex A

  These articles will provide you a further explanation about controls from section A.11 and selection of controls:

  • Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
  • How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/
  • How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
  • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  These materials will also help you regarding ISO 27001 implementation:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Controls for Stage 2 audit

  If you go for the certification audit, you should have most of the controls stated in the SoA as applicable implemented, and make sure that controls that mitigate the biggest risks are fully implemented.

  In other words, you can leave only a smaller number of less significant controls to be implemented after the certification. In such a case, you have to ask risk owners to accept the residual risks.

  This article will provide you a further explanation about certification:

  • Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

  This material will also help you regarding certification:

  • ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/