Search results

ISO 27001 implementation

Do I need to list individual software licenses in the risk assessment or can they be put into broader categories? I’m thinking ahead to an eventual audit and what an auditor might want to see to show that we are taking everything into account.

i.e.
Software tools that may contain PII and/or confidential information
Software tools that do not contain PII and/or confidential information

And do they need to be separated by whether they are run on premises only or in the cloud?

Or, do I need to put:
Salesforce.com
Microsoft Office,
etc and list all threats/vulnerabilities of each?  We have a list of all software tools that contain PII for GDPR already in the Appendix – Inventory of Processing Activities.

You don't have to fill in each and every software license separately - you can just specify that you have a class called "software licenses" and associate to it the threats and vulnerabilities common to all of them. In case you have threats and vulnerabilities related to a specific software license, then you can list that software license separately for that set of threats and vulnerabilities.

For further information, see:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Is there an easy way to know which controls would apply for each vulnerability? I.e. a mapping to the vulnerabilities that are pre-populated in the Risk Assessment? I think that each vulnerability listed probably has a specific control so having a mapping would save a lot of time vs trying to match them one by one.

There is no definitive document we can recommend, since, for each organization, the applicable controls may vary according to the organization's risk tolerance and results of risk assessment (for the same vulnerability one or more controls may be applicable). Additionally, such documents may mislead organizations while implementing their own practices, because they may understand that these are the solution for their risk, without considering their own organizational context.

These materials will also help you regarding risk treatment:

• Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

 When creating the risk assessment using the Asset-Threat Vulnerability method and assigning a Likelihood do we take into account the current state of that risk given our already implemented (pre-ISO27001) controls? i.e. if we have multi-factor authentication the risk of access to our email system is lower, therefore would we put a lower number for likelihood? I assume this is the case, but am not clear.

Your understanding is correct. When you perform a risk assessment, you need to consider the risk values including the effects of implemented controls. You only need to ensure that the information about the implemented controls are also documented in the risk assessment.

Do you suggest using the OCTAVE Allegro worksheets (or something similar) for polling the risk owners while creating the Risk Assessment, or is there a questionnaire available that can be sent to them with specific questions that I am missing?

Octave or other approaches for identifying risks are not needed. You can ask your asset owners to simply identify threats/vulnerabilities that can affect their assets based in the catalog of threats/vulnerabilities included in the Risk Assessment Table, located on the folder 10 Risk Assessment and Risk Treatment.

For further information, see:

• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities: https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

Calculating environmental aspects

Each organization can develop its own method for calculating significant environmental aspects, considering its own reality, complexity and dimension. Please consider the guidelines in this article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/

You can find more information in the following links:

• Article - Article - Catalogue of environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Supplier quality plan

First, not all suppliers are equal, or have the same impact on the project. So, your organization can start to evaluate supplier’s potential impact on the project with quality problems or delays.

Second, for the critical suppliers your organization can require a quality plan. As soon as you realize that a supplier is or will be critical a quality plan should be requested. Ideally, the quality plan should be part of the supplier proposal when answering to a request for quotation.

In this case a quality plan is a document setting supplier’s arrangements needed to ensure and demonstrate that quality is embedded in products and services during its creation and not just before sending to the customer.

The following material will provide you more information about quality plans:

• Article - Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/
• Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Legal and statutory requirements

If you check ISO 9001:2015 clause 0.4 you can find something like: ISO 9001:2015 does not include specific requirements from what could be from other management systems like environmental management, Health and Safety or finance management.

So, when it comes to legal and statutory requirements an ISO 9001 certification auditor will check if your organization identified and complies with those that are applicable to your organization’s products or services and contracts with customers, and processes. For example, you may have to comply to legal requirements about the qualifications of someone doing a particular job or function.

The following material will provide you more information about ISO 9001:2015:

• Article - How to include statutory and regulatory requirements in your QMS - https://advisera.com/9001academy/blog/2017/02/14/how-to-include-statutory-and-regulatory-requirements-in-your-qms/
• Enroll for free course - ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

QMS in a town hall

No, it is not difficult to implement a quality management system in a town hall. The point is that one does not implement a quality management system generically to all activities of a town hall. One has to define the scope of activities to be included. For example, a town near where I live has the town hall certified with the following scope:

• Urban Solid Waste Collection;
• Management of the Eco-center and Transfer Station;
• Urban Hygiene and Cleaning;
• Maintenance of Green Spaces. 

The following material will provide you more information about ISO 9001:2015:

• Article - ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
• Article – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Involving employees in the implementation process

Ensuring employee participation and consultation is an important part of the ISO 45001 standard, but remember that this does not mean that every employee needs to be part of the implementation process. I would suggest that you have different departments decide on representatives to aid in the implementation, much like some joint health & safety committees are formed, as this would give all employees a voice in the implementation process and a contact for questions and feedback.

You can read more about the Iso 45001 requirements in the article: How to meet participation and consultation requirements in ISO 45001, https://advisera.com/45001academy/blog/2016/03/16/how-to-meet-participation-and-consultation-requirements-in-iso-45001/

KPIs related to consultancy

From your question, I do not know what kind of consultancy team you need. In my opinion, in defining KPIs, the best is to start from the end, what does your organization want from the consultancy team, and in what time period. To give you more advice, I need to have more data about what kind of consultancy team you need. 

The following articles can help you:

• How to define Key Performance Indicators for a QMS based on ISO 9001 https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
• ISO 9001 document template: Matrix of Key Performance Indicators - https://advisera.com/9001academy/documentation/matrix-key-performance-indicators/
• How to choose an ISO 9001 consultant https://advisera.com/9001academy/blog/2019/11/12/iso-9001-consultant-how-to-hire-the-right-one/
• How to choose a consultant for ISO 13485 implementation https://advisera.com/13485academy/blog/2019/04/04/how-to-choose-a-consultant-for-iso-13485-implementation/
• Free webinar - How to sell ISO consulting services https://advisera.com/14001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/

• First in Human Feasibility Study (4 to 8 patients) conducted prior to ISO 13485 Certification

  You can conduct, prior to the ISO 13485:2016 certification, first in human feasibility study according to the Investigational Device Exemptions (IDEs) for Early Feasibility Medical Device Clinical Studies, Including Certain First in Human (FIH) Studies: https://www.fda.gov/regulatory-information/search-fda-guidance-documents/investigational-device-exemptions-ides-early-feasibility-medical-device-clinical-studies-including

  This way you will be sure that your medical device has proper intended use and be sure that it is a medical device. After you get that approval, you can go to the ISO 13485:2016 certification. However, certain steps in this feasibility study will be covered by requirement 7.3 Design and development, so be sure that you have records of each step that is required. 

  For more information on managing the design, please see the following link:

  • How to manage design and development of medical devices according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/08/24/how-to-manage-design-and-development-of-medical-devices-according-to-iso-134852016/<

  Also, you can see how records about design and development look lin in ISO 13485:2016 Documentation toolkit on the following link:

  • Design and Development File - https://advisera.com/13485academy/documentation/design-and-development-file-iso-13485-2016/

  • MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT

    Please note that this section consolidates information about how to handle records mentioned in the content of the document (e.g., who is responsible for them, where they are stored, for how long they need to be kept, etc.). This information is needed to help fulfill requirements from section 7.5 of the standard (Documented Information).

    So our recommendation is for you to keep this section (the alternative would be to include the above-mentioned information in the place where the record is mentioned, what would turn the document more complex to read).

    This article will provide you a further explanation about documents:

    • How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/

    This material will also help you regarding document management:

    • Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Incident Management - Capturing the incident

    First is important to note that ISO 27001 only requires incident management related documents and records if controls from section A.16 are stared as applicable in the Statement of Applicability.

    Considering that, provided that your implemented solution (help desk system) fulfills the standard's requirements for incident management, you do not need to implement a specific incident management form.

    These articles will provide you a further explanation about the incident management:

    • How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
    • Using ITIL to implement ISO 27001 incident management https://advisera.com/27001academy/blog/2015/11/10/using-itil-to-implement-iso-27001-incident-management/t/