Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Guest
ISO 9000:2015 does not define neither document control nor document management. So, there is no authoritative answer. Some people may use those two terms interchangeably.
Commonly the use of “document management” is related with the storage and indexing of documents for easy access. Quality management systems traditionally use “document control” related with storage and indexing of documents for easy access but also security, intellectual property protection, version control, availability and authority for approval.
You can find more information about ISO 9001 documentation below:
Depending on your organization (e.g. size, industry, structure, etc) there are various challenges while implementing ITIL - costs of the implementation (e.g. tools, time of internal resources or consultants, etc.), whether IT Service Management tool is in place, knowledge...are just some of them.
Some can remain once the implementation is over (e.g. costs of external/internal resources or quality of implemented ITSM tool), but there are some other as well - how efficient your ITIL processes are (or how complex they are), related (human) resources and quality (as well as know-how) of their work, support of your management, etc.
Here are more details 5 excuses why IT organizations avoid ITIL implementation https://advisera.com/20000academy/blog/2015/08/25/5-excuses-why-it-organizations-avoid-itil-implementation/
Whenever ISO 9001:2015 uses the wording “The organization shall retain appropriate documented information” and the key word is “retain”, ISO is making a record mandatory.
Please consider in this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ the list of mandatory records.
You can find more information about ISO 9001 below:
They are manufacturers of raw materials/components. In the Medical device file, they will have basic information on the components that they produce like, of course, if it is applicable: specifications, technical drawings, storage conditions, material safety data sheets, any test results, instructions of services or installation at the medical device manufacturer, labels. You can completely adapt this to your own needs.
1. Although my tool kit is supposed to include ISO 27001, 27017 and 27018, the Project Plan template only refers to 27001 and Business Continuity. Should it not include all 3? My concern is that I am missing something in the project plan because the template does not talk about all 3.
Please note that ISO 27017 and ISO 27018 are supporting standards for the implementation of ISO 27001, providing specific guidance and controls for cloud services and privacy in the cloud.
Considering that, the main elements which refer to controls implementation in the project plan are the "Statement of Applicability" and the "Risk Treatment Plan", which are included as deliverables in the Project Plan, section 3.2 (Project results). At this point in the project there is no need (or possibility) to foresee specific controls to be implemented (this definition is made after the risk assessment and risk treatment process).
What you can do to emphasize that your project considers both ISO 27017 and ISO 27018 is to include them as reference documents in section 2.
For further information see:
2. I am also confused about Business Continuity. Does that need to be in or not? You have taken it out in the demo.
Business continuity is not necessary to be implemented if you want to be certified only against ISO 27001, so you can delete from the Project Plan elements related to ISO 22301.
What happens with the Project Plan template is that it was designed to be used to implement both standards, and can be customized to fulfill customer's needs. In the comments included in the template you can find which text must be excluded or adjusted if you are going to implement only ISO 27001.
3. There is no section in the Project Plan for training. Should this not be part of the Project Plan?
Training as a deliverable is defined in section 3.2 (Project results) in the form of the "Training and Awareness Plan", which defines how employees will be trained to execute planned tasks, and how they will be made aware of the importance of information security.
Training for the project team can be defined in section 3.5 (Main project risks) as a treatment in case you have a risk related to untrained personnel in the project team.
For further information, see:
4. Should there not be a section on the test audit date as well?
Please note that there is no "test audit" concept in ISO 27001. What you need to perform is a full internal audit on all mandatory requirements and in all applicable controls, and the definition of audit dates will be covered when filling in the "Procedure for Internal Audit" and its support Annex "Annual Internal Audit Program".
For further information, see:
These materials can also help you regarding internal audit:
5. It seems like the Project Plan is just about completing the documents and nothing else.
First is important to note that this is a common misunderstanding.
Please note that at this stage of the project, without the definition of the ISMS scope and policy, and the definition of the controls to be implemented, there are not many things to do than completing the documents, but once you have the Statement of Applicability and the Risk Treatment Plan you will have a greater level of detail on what needs to be implemented in terms of processes and technologies.
To have a detailed idea of activities involved in the implementation, I suggest you take a look at this free downloadable material: Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation
This checklist can help you keep track of all steps during the ISO 27001 implementation project, starting with obtaining management support all the way through to certification audit.
Please note that there is no specific document for control A.7.2.1 because management responsibility is documented across several documents in the toolkit, like the Information Security Policy and Management review minutes.
For further information see:
Regarding control A.13.1.3, is important to note that Advisera's ISO 27001 Documentation Toolkit does not have a document for each and every control from ISO 27001 because of the following reasons:
1) ISO 27001 does not require each and every control to be documented
2) If the toolkit had a document for each control, there would be too many documents and this would be an overkill for smaller and mid-size companies.
Since our target are SMEs, we have decided to include an optimum amount of documents for companies of this size - the toolkit includes:
Documents that cover the remaining mentioned controls are located as follow:
Please note that included in your toolkit there is a List of Documents file that can show you which clause and control of the standard are covered by each document.
As an auditor you should be able to demonstrate your competence to your customers. As a minimum you should demonstrate certification as lead auditor, and certification that you know the standard. So, I would recommend a training to formalize your knowledge of ISO 9001:2015 followed by several internal audits to gain experience.
The following material will provide you information about ISO 9001:2015:
Before you can determine what measures are required, you need to develop and validate the method. This provides valuable information on what performance to expect from a method, for example limit of detection, accuracy and repeatability. The ruggedness (robustness) studies will indicate what the influencing factors are during normal usage, for example instrument stability and sensitivity of the method to sample matrix changes. You will then know the “method risks” that need to be controlled and monitored to ensure the ongoing validity of results from a method.
Ensring the validity of a test involves taking measures to monitor and evaluate analytical data; and acting on any trends noted in the performance of a method for specific samples or a batch of samples. Typically you would use statistical techniques and QC charts to plot, and detect trends and nonconforming work to avoid realising suspect results. The data comes from two quality control processes. The first is External Quality Control. Here, through regular participation in an formal proficiency testing scheme or interlaboratory comparison, you will evaluate your laboratory performance for any significant statistical bias against other laboratories performing the same test.
The second process is Internal Quality Control, where you could include a number of measures, depending on your method and need. It will involve running and analysing a suitable number of quality control materials (samples) in each batch. These could be blanks, certified reference samples, spiked samples, check samples and / or sample replicates to measure an acceptable accuracy or repeatability of your method. The criteria for acceptance of the results must be established. If the criteria is met, then the results can be realised with confidence. For example, a typical QC criteria is that the result for an internal control sample run over a period of time must fall above and below its mean in a random pattern, but within set upper and lower control limits.
The ISO 17025 toolkit document template: Quality Assurance Procedure includes the Quality Control requirements to ensure valid results from all testing and calibration activities. It is available, including a free preview at https://advisera.com/17025academy/documentation/quality-assurance-procedure/
The specific Quality Control methods and frequency must be established by the laboratory, based on risk. This will depend on the method type, and the use of the results.
Internal documents are issued by your organization. For example, procedures, work instructions, records. Any change in internal documentation is decided and controlled by your organization.
External documents are documents relevant for your quality management system but issued by an external organization. For example, a standard, or regulation, or legislation. Any change in external documentation is decided by an external organization but your organization must be aware of it.
You control your data when you control your records.
You can find more information about document control below:
Could you please let me know what is the difference between major and minor nonconformity?
Answer:
Minor nonconformity - a nonconformity that does not affect the capability of the management system to achieve the intended results. An example might be that you find some people have not undertaken training that the organization has made mandatory (ISO 9001 clause 7.2), but you find that those people are still competent to carry out their tasks.
Major nonconformity - a nonconformity that affects the capability of the management system to achieve the intended results or in other words, when you have found that the requirement of the standard has not been met. For example, if an organization completely failed to fulfill a certain requirement; if a process has completely fallen apart; or if you have several minor nonconformities that are related to the same process, or to the same element of your management system.
Could you please provide any practice tests/incidences to rule out any nonconformity present in the scenario?
Answer
Whenever a requirement, from the standard, or from regulation, or from internal documents, is not being met you have a nonconformity. To decide if it is major you can follow the criteria in this article - Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
You can find more information about nonconformities at: