Search results

ISO 27017 certification process

My first question is about the formal process for a company to get certified ISO 27017 if it is already certified ISO 27001.
It is just about asking the audit provider to verify the additional questions and deliver the “statement of compliance.”? Or there is a certification that the company should conduct a proper and distinct audit to have it?

First, it is important to note that ISO 27017 is not a certifiable standard. What some certification bodies do is to "certify" against ISO 27017 during an ISO 27001 certification process, because ISO 27001 is the only certifiable standard in the ISO 27000 series.

Considering that, to be "certified" against ISO 27017 all you need to do is to include the applicable controls related to ISO 27017 in your Statement of Applicability (of course, as a result of performing the risk assessment and risk treatment process), update your risk treatment plan, implement required controls and notify your certification body about the changes (so it can adjust the certification/surveillance audits accordingly).

For further information, see:

• ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

My second question is : Can a company say that it is certified for the information security management for the cloud computing services just with the ISO 27001/27002?

ISO 27001 has enough security controls to allow an organization to be certified considering cloud computing services in its ISMS scope. You only would need to include controls from ISO 27017 if your organization has specific requirements demanding the implementation of ISO 27017 controls (e.g., laws, regulations or contracts).

This article will provide you further explanation about ISMS scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

Regulatory requirements

If the company implements ISO 13485/10328, with our ISO 13485:2016 Documentation Toolkit the following requirements from the FDA will be met: quality management system described in 21 CFR 820, and reports of correction and removals described in 21 CFR 806. The following requirements need to be fulfilled in addition to our toolkit: registration described in 21 CFR 807, Unique Device identification described in 21 CFR 830 or electronic records and signatures described in 21 CFR 11.

For more information, please read the following article: 

How to use ISO 13485 to fulfill FDA regulatory classes for medical devices https://advisera.com/13485academy/blog/2017/09/14/how-to-use-iso-13485-to-fulfill-fda-regulatory-classes-for-medical-devices/

Correction vs corrective action

When you have a nonconformity, you need to eliminate it. A correction attacks the nonconformity, a correction focuses the defect, focus on what is wrong and tries to solve the situation. For example, through rework, through scrapping, through downgrading, through a discount with the customer to try to see if he or she agrees in receiving the wrong product.

After eliminating what is wrong, with the correction, one should evaluate the risk. How important is the nonconformity with its actual or potential consequences? What is the probability of recurrence, can it happen again?

If the risk is relevant a corrective action is needed. Corrective action is done after the correction and has another purpose, trying to eliminate the cause behind the non-conformity. When we do an effective corrective action, we eliminate or reduce the non-conformity frequency of recurrence. For example, changing a raw-material supplier in order to minimize production problems due to a raw material.

The following material will provide you information about corrections and corrective actions:

• ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
• Check slide 17 in this free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ 
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

EU MDR

Thank you

Accreditation bodies for Lab

 "Do you have any suggestion for accreditation bodies for Lab to accredited ISO 17025?

I am unable to make suggestions on such a matter. Certain countries have a single accreditation body, and laboratories do not have a choice. If you do have a choice, you may choose to speak with laboratories that have been through the process; and form your own opinion as who to choose.

What is the difference between accreditation bodies and certification bodies?

Certification bodies assess and certify organizations or people, whereas accreditation bodies assess and accredit laboratories. Accreditation is not compulsory for certification bodies, however, all accreditation bodies themselves accredited, mandated by national legislation. Depending on the scope of work, the standard to which accreditation and certification bodies are accredited differ. ISO 17011 is the Standard for Accreditation Bodies, whereas ISO 17024 is the standard for Conformity assessment - General requirements for bodies operating certification of persons.

The following article may be of interest, providing a good explanation and further information

Clause 4.1 and 4.2

If we think in iterative terms, it doesn't matter where to start. I usually start by determining the relevant internal and external issues. Then, we determine the stakeholders and their needs and expectations. In determining these needs and expectations, we often see the need to complete the list of issues previously developed.

Then, as shown in this free webinar on demand – ISO 9001:2015 clause 4 – Context of the organization, interested parties, and scope – https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/ we determine risks and opportunities

The following material will provide you more information about the context and interested parties:

- Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf
- How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 mandatory documents

ISO 9001:2015 does not require as mandatory a document called quality plan. However, planning quality is of paramount importance.

• Second paragraph of clause 8.4.1 of ISO 9001:2015 states “The organization shall determine the controls to be applied”
• Clause 8.5.1 c) of ISO 9001:2015 states “the implementation of monitoring and measurement activities at appropriate stages to verify that criteria for control of processes or outputs, and acceptance criteria for products and services, have been met”
• First paragraph of clause 8.6 of ISO 9001:2015

Slide 11 of this free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/ - includes an example of what can be used as a template for a quality plan. Remember, these days many organizations do not use paper even digitally, the rules from quality planning can be distributed through internet applications, machine software and many other ways.

Video Tutorials not aligned to downloaded document

I'm sorry about this problem - this particular video was made for earlier revision of the standard, and the templates were updated to include improvements.

If you find any other differences between any video tutorial and the templates, please consider the templates, because they are up to date to the current version of the standard.

If you still feel you need more information about this topic, you can schedule a meeting with one of our experts. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/

Common Risks associated with ISO 9001 Quality Management Systems

Please avoid generic lists of risks. Each organization is a particular case.

According to ISO 9001:2015 organizations can determine three types of risks:

• Risks related with context and interested parties;
• Risks related with products and services; and
• Risks related with processes

 Please check these free webinars on demand where I present examples of such risks:

• ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
• How to perform management review according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-perform-management-review-according-to-iso-9001-2015-free-webinar-on-demand/ 
• How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/

You can find more information about risks below:

- How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

Encrypting customer data

Encryption is considered a good security measure under article 32 GDPR paragraph 1 letter a, so it is highly recommended when feasible.The Regulation, in fact, leaves up to the Data Controller to decide if the measure is appropriate to the risk for the rights and freedoms of natural persons, considering the state of art and the cost of implementation as well as the nature, scope, and purposes of the processing.

Whatever the choice will be, consider the accountability principle and explain in your internal policy why the data controller adopted or not such measure.

You can find more information here:

EU GDPR controller vs. processor – What are the differences?: https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/The obligations of controllers towards Data Protection Authorities according to GDPR: https://advisera.com/eugdpracademy/blog/2017/12/11/the-obligations-of-controllers-towards-data-protection-authorities-according-to-gdpr/How cybersecurity solutions can help with GDPR compliance: https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/

You can also find some useful information in our free online GDPR Foundation Course: https://advisera.com/training/eu-gdpr-foundations-course//