Search results

Certification ISO 27001

This is different from one certification body to the other - some require you to have ISMS in full operation for at least 3 months, while others do not have such a criteria. The best would be if you ask for proposals from a couple of certification bodies, and ask them this specific question.

These articles may also help you:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
• Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

Measures and Metrics

Good metrics are SMART:

• Specific: they have a clear purpose
• Measurable: they can be defined in a qualitative or quantitative way
• Achievable: people can feel that, even if the metrics require more effort than the normal, they can be achieved
• Relevant: they are important to business results
• Time-based: they have relevance in time

These articles can provide you some examples:

• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
• Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
• Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/

How to control data tape movement during COVID19

Once the decision is made by Top management, if it impacts BCP procedures or policies guidelines, then you have to document the exception, according to your procedure for documents and records control.

As a suggestion for the text, you should consider include this exception as a sub-clause in the main topic of your document, defining it the details about how to handle this situation. For example:

Clause x - Backup
Clause x.x - Backup procedure during a pandemic
In case of a pandemic, the backup procedure must be made as follows: <from this point you must include the procedure specific for this case>

Corrective actions

For every proposed corrective action the auditor must look for implementation evidence.

For example, if the proposed action is training, the auditor must look for certifications, attendance lists, or interview employees about the training topic. If the proposed action is a system update, the auditor must look for a change record or information about which is the most updated version of the system and verify if it is the same version in the system. If the proposed action is the installation of a CCTV system, the auditor must look for the installed cameras and see if they are operational.

This article will provide you further explanation about Corrective actions:

• Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/

Quality audit

In the following diagram you can see the main steps of an audit and the outcomes of each step:

In the following diagram you can see the key inputs for any audit: the scope, the criteria and the objectives:

You can get much more information in the following links:

• Free webinar – How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
• Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
• Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

Road map to ISO 9001

The first step that I recommend is to perform a Gap analysis, to determine the amount of work to be done.

With this information you can develop your project plan, listing what needs to be done, by whom, until when.

After implementation, perform an internal audit and the management review. There you can decide if your organization is ready for certification audit. You can check a much detailed checklist at - Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/

You can get much more detailed information in the following links:

• Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• ISO 9001 Implementation Duration Calculator - https://advisera.com/9001academy/iso-9001-duration-calculator/
• How much does the ISO 9001 implementation cost? - https://advisera.com/9001academy/blog/2016/12/20/how-much-does-the-iso-9001-implementation-cost/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• Project Plan for ISO 9001 implementation - https://info.advisera.com/9001academy/free-download/project-plan-for-iso-9001-implementation-ms-word
• Free webinar on demand – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Lab processes

ISO 9001 is a standard for general use in any economic sector. For lab processes there is a more specific standard, ISO 17025.

ISO 17025 is the international standard for testing and calibration laboratories. ISO 17025 is more than about a quality management system it is also for demonstrating technical competency.

The following material will provide you information about ISO 17025:

• ISO 17025 vs. ISO 9001 – Main differences and similarities - https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities//
• What is ISO 17025? - https://advisera.com/17025academy/what-is-iso-17025/
• ISO/IEC 17025 DOCUMENTATION - https://advisera.com/17025academy/

Implementacion de SGA

Lo primero y más importante es contar con el apoyo lo de la alta dirección, que es la que va a facilitar los recursos tanto de personal como económicos para poder llevar a cabo el proyecto de implementación.

Posteriormente le recomendaría que realice un análisis de brecha (o GAP, por sus siglas en inglés) que le ayudará a identificar aquellos requisitos con los que la organización aún no cumple. Aquí puede llevar a cabo el análisis de forma gratuita - Herramienta de análisis de brecha en ISO 14001: https://advisera.com/14001academy/es/herramienta-gap-analysis-iso-140012015/

Más tarde, debería de definir el alcance del Sistema de Gestión Ambiental, para lo cual le recomiendo que primeramente de las cuestiones internas y externas del contexto de la organización, ya que le puede ser de gran ayuda a la hora de saber cuáles van a ser los límites de su SGA. A continuación, puede determinar tanto la política de su SGA así como los objetivos del SGA. Aquí puede obtener más información de cómo definir el alcance de su SGA - How to determine the scope of the EMS according to ISO 14001:2015: https://advisera.com/14001academy/blog/2016/02/01/how-to-determine-the-scope-of-the-ems-according-to-iso-140012015/

Luego deberá de establecer todos los procesos relacionados con el sistema e implentarlos para finalmente realizar la auditoría interna y finalmente llevar a cabo la revisión por la dirección.

Estos materiales  pueden ayudarle a saber cuáles son los pasos en la implementación de ISO 14001:2015:

- Artículo: Lista de pasos para la implementación de la ISO 14001: https://advisera.com/14001academy/es/knowledgebase/lista-de-pasos-para-la-implementacion-de-la-iso-14001/

- Curso gratuito - Fundamentos de ISO 14001:2015:  https://advisera.com/training/es/course/curso-fundamentos-iso-14001/

- Libro - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/

Verifying corrective action implementation

Yes, both in internal and surveillance audits, auditors can verify that agreed corrective actions have been implemented and are effective. Actually, I consider that to be the best approach, close in an audit scenario what was opened in a audit scenario.

The following material will provide you information about internal auditors:

• ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
• Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
• Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

Data controller or data processor

According to article 4 GDPR, a data processor processes personal data on behalf of the data controller. With reference to the IT maintenance system, there has been an interpretation of the German Data Protection Authority (DPA) which considers “ data processing” also the occasional access to client’s data from the IT maintenance company. You should verify if your national DPA gave some definition of data processing. If not, it would be safer to adhere to the strict German interpretation in order to assure compliance and consider the IT company as a data processor.

This is the official statement of German DPA (in German): https://datenschutz-hamburg.de/assets/pdf/DSK_Kurzpapier_Nr_13_Auftragsverarbeitung.pdf

Here you can find some useful information:

You can also consider enrolling in our free EU GDPR Foundation course: