Search results

Major vs Minor nonconformity

Could you please let me know what is the difference between major and minor nonconformity?

Answer:

Minor nonconformity - a nonconformity that does not affect the capability of the management system to achieve the intended results. An example might be that you find some people have not undertaken training that the organization has made mandatory (ISO 9001 clause 7.2), but you find that those people are still competent to carry out their tasks.

Major nonconformity - a nonconformity that affects the capability of the management system to achieve the intended results or in other words, when you have found that the requirement of the standard has not been met. For example, if an organization completely failed to fulfill a certain requirement; if a process has completely fallen apart; or if you have several minor nonconformities that are related to the same process, or to the same element of your management system.

Could you please provide any practice tests/incidences to rule out any nonconformity present in the scenario?

Answer

Whenever a requirement, from the standard, or from regulation, or from internal documents, is not being met you have a nonconformity. To decide if it is major you can follow the criteria in this article - Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

You can find more information about nonconformities at:

• Article – How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
• Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - Discover ISO 9001:2015 Through Practical Examples -https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

User Account Responsibilities

This case still must be listed as an exception, even if the credentials are not shared with other team members, because the control requires unique credentials for each employee who access the device (in this case a computer).

Adopting the ISO 27001 standard

For a presentation platform, you can use any common marketing solution you feel comfortable to use. Our common suggestion is MS PowerPoint.

Regarding why implementing ISO 27001, you can show these 4 benefits:

• Enhanced competitive edge
• Reduction on losses due to security incidents
• Reduction on fines due to legal or contractual non-conformity
• Improvement of internal organization

To see how an ISO 27001 presentation looks like, I suggest you to take a look at this free download material: Project proposal for ISO 27001 implementation (MS PowerPoint) https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-implementation-powerpoint

These articles will provide you a further explanation about ISO 27001 benefits:

• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
• How to gain employee buy-in when implementing cybersecurity according to ISO 27001 https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-when-implementing-cybersecurity-according-to-iso-27001/

These materials will also help you regarding ISO 27001 benefits:

• ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/

Business impact analysis

Please note that although connected, BIA and Risk Assessment are different processes, and this connection does not make obsolete ISO 22317:2015, which defines guidelines for business impact analysis. You can still use this standard to help develop a BIA approach.

This article will provide you a further explanation about BIA and risk assessment:

• Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/

Clause 8.3. applicability

Clause 8.3 is not about designing Standard Operating Procedures for use in-house.

Clause 8.3 is about designing a new product or service. Clause 8.3 may be the main job in your scientific research lab.

Whenever there is a go decision for a new research your lab has to:

• Set up a project team with resources, responsibilities and authorities. Set up a project plan - (this is about clause 8.3.2)
• Collect inputs (state of the art data and information, legislation and regulation applicable) - (this is about clause 8.3.3)
• Following the project plan there is reviewed, final verification and validation controls are - (this is about clause 8.3.4)
• An output comes out of a successful project plan – a prototype, specifications to manufacture or provide or use, Standard Operating Procedures to manufacture or provide or use, … - (this is about clause 8.3.5)
• Changes - (this is about clause 8.3.6)
   

So, it is very difficult to justify that clause 8.3 is not applicable to a scientific research lab implementing a quality management system according to ISO 9001:2015

The following material will provide you more information about design and development:

• The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
• Procedure for Design and Development - https://advisera.com/9001academy/documentation/procedure-design-development/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book – (where I use the process approach this way) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

ISO Standards for HR Policies

 In a general way, the benefits of adopting ISO standards are related to:

• Enhanced competitive edge
• Reduction on losses due to errors, failures or incidents
• Reduction on fines due to legal or contractual non-conformity
• Improvement of internal organization

These articles will provide you a further explanation about ISO 27001 benefits:

• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
• How to gain employee buy-in when implementing cybersecurity according to ISO 27001 https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-when-implementing-cybersecurity-according-to-iso-27001/

These materials will also help you regarding ISO 27001 benefits:

• ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

Maintenance of ISO 27001

1. I want the process of maintenance after organization certified with ISO 27001.

ISMS maintenance involves

• operate the ISMS
• update documentation
• review risk assessment
• monitor and measure the ISMS
• perform internal audit
• perform management review
• perform corrective actions

These articles will provide you a further explanation about ISMS maintenance:

• ISO 27001 Certification: What’s next after receiving the audit report? https://advisera.com/27001academy/blog/2015/05/18/iso-27001-certification-whats-next-after-receiving-the-audit-report/
• How to maintain the ISMS after the certification https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/

2. How to maintain the document policies procedures etc related the ISMS

Asset for Risk Assessment

The best way to check if all relevant assets are identified is by interviewing the people most related to the information the ISMS is being designed to protect (e.g., end-users, IT staff, managers, etc.). Additional information may be found in the available documentation, like procedures, and inapplicable legal requirements (e.g., laws, regulations, and contracts).

In our template for Risk assessment (https://advisera.com/27001academy/documentation/risk-assessment-table/), you will get a checklist of potential assets that could be included.

This article will provide you a further explanation about assets:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

ISO 9001 for international quality mark

ISO 9001:2015 is a standard for organizations not products. Certification bodies have strict rules to prevent connecting certification and products. For example, a label with the certification mark cannot be applied into a product or a package in direct contact with the product.

To be able to answer is question you must first answer to the question about what job do you need for your exclusive product?

1. Is it intellectual property protection?
2. Is it compliance with a legal requirement such as CE mark?
3. Is it a mark to convey credibility and image?
4. Another one?

ISO 9001:2015 certification is:

• very useful for 3
• may be useful for 2, since it sets a quality control plan and some preventive actions
• not useful for 1

Perhaps the information below is useful for you:

• Article - Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• Article - ISO 9001 Certification - https://advisera.com/9001academy/iso-9001-certification/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 27001-ISO 27017 and ISO 27018

 If these apps you mentioned are not negatively affecting your ISMS scope by going into the cloud, or if their impacts are considered in the ISMS in a way that the related risks are acceptable, e.g., by the application of proper controls, then your assumption is correct, and your ISO 27001 certification is not at risk.

These articles will provide you a further explanation about ISO 27001 scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/