Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Implementation of iso 27001 controls

    Since you already identified all controls that are applicable and the percentage by which they are already implemented, my suggestion for additional criteria to prioritize implementation are:
    - controls which affects the highest risks (in fact this should be your first criteria)
    - which controls will have a more positive impact after implementation
    - which controls require less effort to be implemented

    Regarding starting with those who are lower in percentage, please note that a common risk in implementation projects is that a long period without results can decrease interest in the project by its supporters, so you should balance the implementation of controls which treat the highest risks with those that deliver the quickest results (i.e., implemented and measured controls as fast as you can).

    These articles will provide you a further explanation about common controls:
    - The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/
    - How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/

    These materials will also help you regarding controls implementation:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
    - ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

     

  • Internal ISO 9001-2015 audit

    I have identified the sections in our company manual to answer the questions, but do I need to obtain paper proof?

    Answer:

    You need to obtain evidences that support the answers to your questions. What people say in their answers are not facts, are pseudofacts. You have to get evidences, facts that support what people say in their answers. For example, it might be a demonstration, or it might be a record, or it might be corroboration from others, in different places and at different times. So, you need proof, but not necessarily a paper proof.

    if I discover a procedure that has not been implemented, do I include it in the audit with a procedure to correct?

    Answer:

    No. If the procedure is not implemented you found a nonconformity. You should write the nonconformity with evidences. That is your role as auditor.

    Auditors do not compromise their independence and impartiality with a solution to the nonconformity. The solution is up to the quality manager or, even better, to the audited area manager. Auditees may decide that the procedure is OK, and what was wrong was a lack of training, ineffective training for the procedure users, for example. It is not auditors job to propose solutions.

    The following material will provide you more information about internal audit:

  • EN 13795/ISO 13485

    In the standard  EN 13795-1:2019 Surgical clothing and drapes - Requirements and test methods - Part 1: Surgical drapes and gowns are specified performance requirements for gowns. There are stated the tests and criteria for acceptance for different tests for standard and high performance. But, you as the manufacturer are responsible for defining the specifications of your medical device.   

  • IATF Documentation and records

    Yes, your action is correct. 

    The process performance (KPI) data of the last 12 months are taken into consideration in every IATF 16949: 2016 audit. These data should be recorded for each process defined in the quality management system. I recommend that you follow the process performance monthly or quarterly.

    Example: If your last audit was done in April 2019; 12-month process performance data between April 2019 and April 2020 will be checked in your April 2020 IATF 16949:2016 audit. Of course, the goals and results of each process performance should be ready for the year 2018 and 2019.

    In particular, the auditors want to see the progress of the targets by years. This is also very good evidence for the organization's level of continuous improvement.

 For more information please to read the following article: 

For more information, please see the following materials:

  • ISO 9001 for ISO 45001 and ISO 14001 QMS?

    We are preparing for ISO 45001 and 14001. We are already ISO 9001-2015 certified since 2013. Question: Shall we use ISO 9001-2015 documents for the other 2 QMS?

  • SGSI measurements

    How to establish the ISMS measurements?

    Measurements are established based on the objectives the ISMS has to achieve (business-oriented objectives), as well as on the objectives established for the controls (security-oriented objectives).

    Once these are defined, among other items, you also have to define:

    • Who has to perform the measurement
    • Who has to analyze the results
    • Measurement periodicity
    • How to perform the measurement

    These articles will provide you a further explanation about SGSI measurement:

    These materials will also help you regarding SGSI measurement:

  • Annex A Applicability

    Working on the Statement of Applicability as your starting point is not a good approach, because it only documents the results of previous efforts.

    According to the ISO 27001, to understand which of the 114 controls are going to be necessary you need to perform the identification of applicable legal requirements and a risk assessment and treatment process.

    The identification of legal requirements will help you identify laws, regulations, and contracts that demand the implementation of controls and the risk assessment and treatment will help you identify which controls you need to implement to handle the most relevant risks.

    These articles will provide you a further explanation about ISO 27001 and application of controls:

    These materials will also help you regarding ISO 27001 and application of controls:

  • Internal audits - retention & disposal policy

    As long as there are no legal requirements, and as long as there are no customer requirements, for example on contracts, organizations are free to determine the retention time for their records.

    Normally, in these cases, I advise keeping records for 3 or 4 years, to assure that records generated during a certification cycle will be available within that certification cycle.

    The following material will provide you information about retaining records:

  • ISO 27001 controls (SOA)

    It is possible to use such justification for the exclusion of control, but please note that common understanding is that information in the SoA refers to elements that are part of the ISMS scope, and such justification (referring to elements, not in the ISMS scope) would only add unnecessary complexity to your document (e.g., an auditor would have to work again on the ISMS scope document to confirm that the development process is out of the scope).

    It is simpler to say that the control is not applicable because there are no relevant risks and/or legal requirements demanding the implementation of the control.

  • QMS processes

    The main purpose of a quality management system (QMS) is consistently meeting customer requirements and enhancing their satisfaction. The process approach is one of the eight quality management principles upon which ISO 9001:2015 is based. According to this principle, a desired result is achieved more efficiently when activities and related resources are managed as a process. So, ISO 9001:2015 invites organizations to see themselves as a system of interacting processes. One can say that the QMS is that collection of processes.

    I like to use the process approach as a way of modeling how an organization works. For example, the main processes for a service providing organization can be around something like:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/1935f850-848f-49a9-afd0-b9009018cd92

    All organizations are different, so there is no universal set of processes. Each organization should design the set of interrelated processes that bests suits the purpose.

    Please check in this free webinar on demand how the set of processes can be determined and the process approach can be used - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/

    You can find more information about the process approach in the following links:
    • Page 396-vs-13485 of 1127 pages

    Didn’t find an answer?

    Start a new topic and get direct answers from the Expert Advice Community.

    CREATE NEW TOPIC +