Search results

Strategic direction in the context of ISO 9001

ISO 9001:2015 mentions "strategic direction" in clauses 4.1, 5.1.1b), 5.2.1 a) and 9.3.1.

ISO 9000:2015 defines strategy as "plan to achieve a long-term or overall objective".

Strategy is about establishing a set of consistent rules about what to do and whom to serve, and about what not to do and whom not to serve. Adopting and following those rules sets a path, an orientation, a direction: the strategic direction.

For example, if an organization decides to serve customers that value the lowest price above all, it has to concentrate on efficiency, on volume, on big orders, and look for process innovations that reinforce those topics. Another organization, in the same economic sector, may decide to serve customers that value premium-service. These organizations are different, require different processes or are managed with different priorities in mind. Just compare the profiles, priorities, and processes of a low-cost carrier with a top of the line carrier.

Please check these two free webinars on-demand where we relate quality policy and indicators

The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
 

The following material will provide you information about strategic orientation:

• ISO 9001 – Aligning quality objectives of the QMS with the strategic direction of the company - https://advisera.com/9001academy/blog/2017/03/07/aligning-quality-objectives-of-the-qms-with-the-strategic-direction-of-the-company/
• You can look for strategic orientation example in this link https://advisera.com/books/wp-content/uploads/sites/9/2017/09/Discover-ISO-9001-through-practical-examples-EN-LookInside.pdf
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

ISO 27001 Certification

We are not experts in FedRAMP, SOC2, and NITS, but this situation is more like "adjustment" than "transition" because the safeguards required/used by the frameworks you mentioned can be used for ISO 27001 implementation (some of them can be linked to controls form the standard's Annex A). Your main concern should be compliance with the main clauses of the standard.

These articles will provide you a further explanation about the implementation of ISO 27001 and use of NIST framework:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
• How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Risk treatment plan

ISO 27001 does not prescribe the content of the risk treatment plan, but as good practice, it should consider at least:

• which security controls you need to implement
• who is responsible for them
• what are the deadlines
• which resources (i.e. financial and human)

To see how a risk treatment plan looks like, please access the free demo of our Risk Treatment Plan at this link: https://advisera.com/27001academy/documentation/risk-treatment-plan/

This article will provide you further explanation about the risk treatment plan:

• Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

Certification ISO 27001

This is different from one certification body to the other - some require you to have ISMS in full operation for at least 3 months, while others do not have such a criteria. The best would be if you ask for proposals from a couple of certification bodies, and ask them this specific question.

These articles may also help you:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
• Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

Measures and Metrics

Good metrics are SMART:

• Specific: they have a clear purpose
• Measurable: they can be defined in a qualitative or quantitative way
• Achievable: people can feel that, even if the metrics require more effort than the normal, they can be achieved
• Relevant: they are important to business results
• Time-based: they have relevance in time

These articles can provide you some examples:

• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
• Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
• Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/

How to control data tape movement during COVID19

Once the decision is made by Top management, if it impacts BCP procedures or policies guidelines, then you have to document the exception, according to your procedure for documents and records control.

As a suggestion for the text, you should consider include this exception as a sub-clause in the main topic of your document, defining it the details about how to handle this situation. For example:

Clause x - Backup
Clause x.x - Backup procedure during a pandemic
In case of a pandemic, the backup procedure must be made as follows: <from this point you must include the procedure specific for this case>

Corrective actions

For every proposed corrective action the auditor must look for implementation evidence.

For example, if the proposed action is training, the auditor must look for certifications, attendance lists, or interview employees about the training topic. If the proposed action is a system update, the auditor must look for a change record or information about which is the most updated version of the system and verify if it is the same version in the system. If the proposed action is the installation of a CCTV system, the auditor must look for the installed cameras and see if they are operational.

This article will provide you further explanation about Corrective actions:

• Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/

Quality audit

In the following diagram you can see the main steps of an audit and the outcomes of each step:

In the following diagram you can see the key inputs for any audit: the scope, the criteria and the objectives:

You can get much more information in the following links:

• Free webinar – How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
• Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
• Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

Road map to ISO 9001

The first step that I recommend is to perform a Gap analysis, to determine the amount of work to be done.

With this information you can develop your project plan, listing what needs to be done, by whom, until when.

After implementation, perform an internal audit and the management review. There you can decide if your organization is ready for certification audit. You can check a much detailed checklist at - Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/

You can get much more detailed information in the following links:

• Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• ISO 9001 Implementation Duration Calculator - https://advisera.com/9001academy/iso-9001-duration-calculator/
• How much does the ISO 9001 implementation cost? - https://advisera.com/9001academy/blog/2016/12/20/how-much-does-the-iso-9001-implementation-cost/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• Project Plan for ISO 9001 implementation - https://info.advisera.com/9001academy/free-download/project-plan-for-iso-9001-implementation-ms-word
• Free webinar on demand – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Lab processes

ISO 9001 is a standard for general use in any economic sector. For lab processes there is a more specific standard, ISO 17025.

ISO 17025 is the international standard for testing and calibration laboratories. ISO 17025 is more than about a quality management system it is also for demonstrating technical competency.

The following material will provide you information about ISO 17025:

• ISO 17025 vs. ISO 9001 – Main differences and similarities - https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities//
• What is ISO 17025? - https://advisera.com/17025academy/what-is-iso-17025/
• ISO/IEC 17025 DOCUMENTATION - https://advisera.com/17025academy/