Search results

Implementation of the controls before audit

If you go for the certification audit, you should have most of your controls implemented, and make sure that controls that mitigate the biggest risks are fully implemented.

In other words, you can leave only a smaller number of less significant controls to be implemented after the certification. In such a case, you have to ask risk owners to accept the residual risks.

This article will provide you a further explanation about certification:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

This material will also help you regarding certification:

• ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

Policy author

ISO 27001 does not prescribe that documents' author must be part of the organization, so by the standard the fact that the author is an external consultant is not a problem.

The auditor's concern may be related to the fact that an external consultant generally does not have deep knowledge of an organization to properly develop the documents.

In this case, you need to ensure that documents are evaluated and approved by personnel with the proper competencies to do that, so they can validate that the documents fulfill the needs of the organization. For example, the Information security policy must be evaluated and approved by the CISO and Top manager of the ISMS scope (e.g., the CEO if the scope is all the organization or the department head if the scope is limited to a single department), and IT-related policies (e.g., backup policy; IT procedures, etc.) need to involve the IT manager.

Provided that personnel from the organization with proper competencies are involved in the review and approval of documents, it should not be a problem who is writing them.

This article will provide you a further explanation about creating documents:

• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
• How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/

This material will also help you regarding creating documents:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

ISMS controls refer to Finance

Many thanks Rhand for your quick response - very helpful 

Risk assessment review

1. When we revise a risk management table on annual basis (new document), I'm not sure if we assess risks (consequence and likelihood) with all implemented controls/safeguards on our mind or without them? If we take already implemented controls into account when assessing risks, almost all risks are acceptable (few residual remains), there is no need for additional treatment at this moment.

When you perform a risk assessment review, you need to consider the risk values including the effects of implemented controls. You only need to ensure that the information about the implemented controls are also documented in the risk assessment.

2. Hypothetical: if all risks are acceptable according to our methodology, is it ok not to have a Risk treatment plan?

It is acceptable to have no update in the current Risk Treatment Plan in case all risks are acceptable, but please note that the Risk Treatment Plan can also be used to improve controls efficiency (i.e., you can achieve the same results using fewer resources), or in case you need to change technology, but this change will not have an effect on the risk value.

This article will provide you a further explanation about continual improvement:

• Achieving continual improvement through the use of maturity models https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/

Risk Assessment Methodology

It is expected that under an ISO 27001 certified ISMS an organization has only one risk assessment and risk treatment methodology approach, so it can produce comparable results all across the ISMS scope, but there are rare cases where parts of the scope may be under different legal requirements (e.g., laws, regulations or contracts) demanding each one of them to use a different approach, or the performed processes defined by the organization require different approaches (e.g., risk management process for project development and for financial risk assessment).

In such cases, the ISMS must provide a way for the risks from different approaches to be compared (e.g., by using a conversion table, so the results from one approach can be translated to the other and vice versa)

This material will also help you regarding risk management for ISO 27001:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

ISO 45001 implementation

The ISO 45001 standard is best implemented as any other project, with a structure plan and a firm foundation in approval by top management. The plan needs to have adequate resources to see it though, from performing the gap analysis to see what you already have in place that meets the standard, through the certification process. The steps of the implementation are graphically represented below.

You can see the implementation process in this free: Diagram of ISO 45001 Implementation Process, https://info.advisera.com/45001academy/free-download/diagram-of-iso-45001-implementation-process

Cookies after blocking them

It depends on cookies, there are some cookies for functionalities that cannot be blocked without preventing the website to work (in this case the website will be compliant).

You should check what kind of cookies are still working and verify if they belong to cookies that can be blocked by users or not (tracking and statistic).

Cookies are ruled by the e-privacy directive and they are connected to GDPR through Article 13 on consent. This may the European Data Protection Board reviewed the guideline on consent under GDPR and listed cookies: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en 

You can find more information here:

• EU GDPR vs. European data protection directive: https://advisera.com/eugdpracademy/blog/2017/10/30/eu-gdpr-vs-european-data-protection-directive/

You may also consider enrolling in this online EU GDPR Foundations Course:

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Requirement of mentioning details of outsourced process in Clause 4.1.5 of ISO 13485

  In requirement 4.1.5 is stated that the control of the outsourced process should be written in the quality agreement. We in our ISO 13485 Documentation toolkit have a template for Quality agreement for critical suppliers. How template looks and which elements it has as you can find on the following link: 

  • Quality Agreement for Critical Supplier - https://advisera.com/13485academy/documentation/quality-agreement-for-critical-supplier/

  Another part of this topic is how you will define in your Purchasing process control over companies that provide you outsourced processes. According to the requirement 7.4.1 Purchasing process, an organization must plan monitoring and evaluation of suppliers. Usually, manufacturers that have outsourced processes plan an audit in those companies in a frequency that they find justified. These audits are performed by the same rules as their internal audits.

  You can find more information on how to control outsourced processes in the following article:

  • How to control outsourced processes using ISO 9001 - https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/

  • Objectives for Textile Unit manufacturing isolation gowns

    It is very hard for me to say what objectives you can have for your medical device. According to the requirement 5.4.1 Quality objectives, quality objectives are a tool to highlight essential elements in your quality policy, while giving employees a framework for achieving continual improvement.  For example, one goal can be to have less than 1% scrap in the production; or to reduce customer complaints from 5% to 3%. 

    Following articles can help you in that process:

    • Setting good quality objectives for ISO 13485 - https://advisera.com/13485academy/knowledgebase/setting-good-quality-objectives-for-iso-13485/
    • How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/

    You can also see how in our ISO 13485:2016 Documentation toolkit looks the template for setting quality objectives and planning:

    • Quality Objectives and Realization Plan https://advisera.com/13485academy/documentation/quality-objectives-iso-13485-2016/

    • ISO 9001 implementation

      Theoretically, the steps are the same as for any other company. In practice, there are differences around the more or less flexibility of the people involved.

      The first step is to perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis you can develop your Project Plan, listing what needs to be done, by whom, until when.

      Then, an important step is to design a model of how your organization work as a set of interrelated processes. For example:

      

      Decide how to describe and monitor those processes.

      From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

       

      This is a very short description of the journey but below you can find more detailed information:

      • Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
      • Free ISO 9001:2015 Gap Analysis Tool -https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
      • Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
      • ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
      • Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
      • Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
      • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
      • If you are in a hurry to implement your QMS, perhaps our ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/ may be useful
      • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/