Search results

ISO 20000 vs ISO 9001

A Service Management System (SMS) based on ISO/IEC 20000-1uses more detailed and industry-specific requirement. Yes, we can argue that same requirements are also included in the ISO 9001:2015 QMS - although with a more generic approach i.e. on higher level. So, if you want to manage your services, SMS is right „tool“ for you.

See comparison of both standard sin this free whitepaper (please note, it's written for 2011 revision of the ISO 20000-1 standard – but it will give you good idea): ISO/IEC 20000-1:2011 vs. ISO 9001:2015 matrixhttps://info.advisera.com/20000academy/free-download/iso-iec-20000-1-2011-vs-iso-9001-2015-matrix

Roles and Responsibilities document

Ignore this question, I found the answer here: 

https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

BIA and RTO

1. How to determine RTO? It is clear for MTPD.

The RTO is defined after you cross-examine MTPD between different interdependent activities - in some cases, RTO will remain the same as MTDP, and in some cases (where the related activity requires a quicker recovery) it will be lower.

2. Who determines RTO? Department responsible for critical activities or Department responsible for resources supporting critical activities (IT, logistics, …)?

The RTO is related to business needs, so the responsible for the impacted activity must be the one to define the RTO, but is important that this person consults the responsible for supporting resources, to find the best balance between business needs and available resources (the smaller the ROT, the more resources you will need).

3. About your example during the webinar, if RTO of IT is 8 hours and RTO of one critical activity is 4 hours and this one depends on IT. So which RTO will be considered?

When considering the interdependency of activities, you always need to consider first the RTO related to the business activity. In the example, since the RTO of the critical activity is 4h, this one must be the RTO to be considered (in case you consider the RTO for IT, the critical activity will not be recovered in a proper time).

For more information, please read the following article:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
  
  

Procedure for Document and Record Control

If documents created by an employee and sent directly to the client without the approval of another person of the organization is an acceptable risk to your organization, then you can include an "exception" in this section like:

"Except for client project work documents, all other documents regardless of whether they are new documents or new versions of existing documents must be approved by [job title ]. Client project work documents are considered approved by the employee who has created/reviewed it."

Please note that as a good practice for projects, the project manager should review/approve the documents, since they will be sent to the client. 

Cyber-attack contingency plan template

Unfortunately, we do not have a specific cyber-attack contingency plan. Our templates are provided as a general basis for the development of specific contingency plan scenarios, so you can use them to define the activities, resources, and responsibilities required to be a contingency for a cyber-attack.

Please take a look at these free demos to see how contingency plan looks like:

• Business Continuity Plan https://advisera.com/27001academy/documentation/business-continuity-plan/
• Disaster Recovery Plan https://advisera.com/27001academy/documentation/disaster-recovery-plan/

This article will provide you further explanation about developing a BCP and a DRP:

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
• How to define activities when implementing business continuity according to ISO 22301 https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/

ISO 27017 certification process

My first question is about the formal process for a company to get certified ISO 27017 if it is already certified ISO 27001.
It is just about asking the audit provider to verify the additional questions and deliver the “statement of compliance.”? Or there is a certification that the company should conduct a proper and distinct audit to have it?

First, it is important to note that ISO 27017 is not a certifiable standard. What some certification bodies do is to "certify" against ISO 27017 during an ISO 27001 certification process, because ISO 27001 is the only certifiable standard in the ISO 27000 series.

Considering that, to be "certified" against ISO 27017 all you need to do is to include the applicable controls related to ISO 27017 in your Statement of Applicability (of course, as a result of performing the risk assessment and risk treatment process), update your risk treatment plan, implement required controls and notify your certification body about the changes (so it can adjust the certification/surveillance audits accordingly).

For further information, see:

• ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

My second question is : Can a company say that it is certified for the information security management for the cloud computing services just with the ISO 27001/27002?

ISO 27001 has enough security controls to allow an organization to be certified considering cloud computing services in its ISMS scope. You only would need to include controls from ISO 27017 if your organization has specific requirements demanding the implementation of ISO 27017 controls (e.g., laws, regulations or contracts).

This article will provide you further explanation about ISMS scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

Regulatory requirements

If the company implements ISO 13485/10328, with our ISO 13485:2016 Documentation Toolkit the following requirements from the FDA will be met: quality management system described in 21 CFR 820, and reports of correction and removals described in 21 CFR 806. The following requirements need to be fulfilled in addition to our toolkit: registration described in 21 CFR 807, Unique Device identification described in 21 CFR 830 or electronic records and signatures described in 21 CFR 11.

For more information, please read the following article: 

How to use ISO 13485 to fulfill FDA regulatory classes for medical devices https://advisera.com/13485academy/blog/2017/09/14/how-to-use-iso-13485-to-fulfill-fda-regulatory-classes-for-medical-devices/

Correction vs corrective action

When you have a nonconformity, you need to eliminate it. A correction attacks the nonconformity, a correction focuses the defect, focus on what is wrong and tries to solve the situation. For example, through rework, through scrapping, through downgrading, through a discount with the customer to try to see if he or she agrees in receiving the wrong product.

After eliminating what is wrong, with the correction, one should evaluate the risk. How important is the nonconformity with its actual or potential consequences? What is the probability of recurrence, can it happen again?

If the risk is relevant a corrective action is needed. Corrective action is done after the correction and has another purpose, trying to eliminate the cause behind the non-conformity. When we do an effective corrective action, we eliminate or reduce the non-conformity frequency of recurrence. For example, changing a raw-material supplier in order to minimize production problems due to a raw material.

The following material will provide you information about corrections and corrective actions:

• ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
• Check slide 17 in this free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ 
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

EU MDR

Thank you

Accreditation bodies for Lab

 "Do you have any suggestion for accreditation bodies for Lab to accredited ISO 17025?

I am unable to make suggestions on such a matter. Certain countries have a single accreditation body, and laboratories do not have a choice. If you do have a choice, you may choose to speak with laboratories that have been through the process; and form your own opinion as who to choose.

What is the difference between accreditation bodies and certification bodies?

Certification bodies assess and certify organizations or people, whereas accreditation bodies assess and accredit laboratories. Accreditation is not compulsory for certification bodies, however, all accreditation bodies themselves accredited, mandated by national legislation. Depending on the scope of work, the standard to which accreditation and certification bodies are accredited differ. ISO 17011 is the Standard for Accreditation Bodies, whereas ISO 17024 is the standard for Conformity assessment - General requirements for bodies operating certification of persons.

The following article may be of interest, providing a good explanation and further information