Search results

Vendor Agreement In relation to ISO 13485:2016

It is mandatory to have a written quality agreement with the company that provides outsourced process (as stated in requirement 4.1.5 from ISO 13485:2016).  In that quality agreement control measures of your company over the outsourced process must be described. Control measures must be proportionate to the risk involved and the ability of the external party to meet the requirements of ISO 13485:2016. 

For more details about the Purchasing process please read the article at the following link: 

How can ISO 13485 clause 7.4, Purchasing, enhance procurement? https://advisera.com/13485academy/blog/2018/04/18/how-can-iso-13485-clause-7-4-purchasing-enhance-procurement/

BCM framework and policy

For a BCM framework, I can suggest you ISO 22301, the leading ISO standard for business continuity management. To see how the documents to implement this framework looks like, I suggest you to take a look at the free demo of our ISO 22301 Documentation Toolkit at this link: https://advisera.com/27001academy/iso22301-documentation-toolkit/

This toolkit covers all the mandatory, and most commonly used, documents you need to implement and certificate a BCMS against ISO 22301. Also included in the toolkit you can find a template for a Business Continuity Policy (you can take a look at the free demo of this specific document at this link: https://advisera.com/27001academy/documentation/business-continuity-policy/).

ISO 22301 is a generic approach that can be used by business of any size and industry, including those that makes use of SaaS platforms. Included in each template you will find comments that will help you to include the information about your SaaS platform whenever necessary.

These articles will provide you further explanation about ISO 22301 and BC policy and scope (although these articles are about ISO 27001, the same concept applies to ISO 22301):

• What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
• 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
• What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

Level of information classification

Considering ISO 27001 requirements and controls, to define the proper classification level for your information, you have to consider:

• the results of risk assessment
• legal requirements (e.g., laws, regulations, and contracts) applicable to your organization

For example, Article 9 of EU GDPR defines special categories of personal data https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/ which you should classify with a higher confidentiality level, while the rest of the personal data you can classify with lower confidentiality level.

 This article will provide you a further explanation about information classification:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

Business continuity management questions

Hello, I work in management systems consulting and I want to inform myself of information in this business continuity manual, queries:

1. what kind of incidents can disrupt the business?

A disruptive incident is any event that can prevent the business to deliver its products or services, or prevent it from achieving its objectives, for an unacceptable period of time. Considering that, without more information about business nature we cannot offer a more precise answer than a natural disaster, or loss of facilities or essential personnel.

For more precise identification, you should perform a risk assessment, to identify unacceptable risks relevant to your business.

For more information, see:

• How to organize initial risk assessment according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/04/29/how-to-organize-initial-risk-assessment-according-to-iso-27001-and-iso-22301/
• Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
• Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

2. Does it only refer to information security? or risks associated with the specific business must be identified.

Business continuity refers to any risks that can compromise the business, so it covers not only information security risks but any other risks relevant to the organization (e.g., operational, environmental, etc).

3. Taking into account that we live in XXXX where there are no earthquakes or volcanoes, no snow, there can only be a strong storm is the scope of this oriented emergency planning and evacuation and information security?

Besides natural events, you also have to consider intentional and unintentional man-made events (e.g., strikes, terrorism, vandalism, accidents, etc.)

Opencast procedure

I have no experience in mining. I would gather a set of participants with knowledge about what happens and with sticky notes I would ask them to describe the main activities of the opencast process.

Then, for each main activity I would ask them to describe what is done, by whom, with what equipment, under which rules, using which records. Please check in the following free webinar on demand the use of the turtle diagram to collect information about a process - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/

Documenting policies

ISO 27001 does not prescribe how documents should be grouped, so organizations are free to use the approach that better suits them. Our general recommendation is to put policies together only up to the size the document is manageable. People tend not to read large documents, and they also are difficult to handle in case they are in physical format.

This article will provide you further explanation about documenting policies:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/

This material will also help you regarding documenting policies:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

ISMS documents

If I understood correctly, it seems to you that some documents are missing.

Considering that, Advisera's ISO 27001 Documentation Toolkit does not have a document for each and every control from ISO 27001 because of the following reasons:

    1) ISO 27001 does not require each and every control to be documented
    2) If the toolkit had a document for each control, there would be too many documents, and this would be an overkill for smaller and mid-size companies.

Since our targets are SMEs, we have decided to include an optimum amount of documents for companies of this size - the toolkit includes:

    All the mandatory documents - e.g. Information Security Policy, Statement of Applicability, Risk Assessment Methodology, Access Control Policy, etc.
    Documents that are not mandatory, but are commonly used - e.g. BYOD Policy, Classification Policy, Password Policy, Backup Policy, etc.

You can see a full list of documents included in the toolkit in the list of documents file in your toolkit.

In case your organization needs a document not included in the toolkit, you can use the blank template included in the toolkit to write the document yourself, send us an email asking the specific questions about this new document, or schedule a meeting with one of our experts, so he can help you to write the document. You can schedule a meeting at this link: https://advisera.com/27001academy/consultation/

ISO 9001 / Cost of Quality

No, neither ISO 9001:2015 neither ISO 9000:2015 define “Cost of Quality”.

For example, the term “cost of quality” is used in this article - How to measure the cost of quality in line with ISO 9001 principles - https://advisera.com/9001academy/blog/2019/10/28/cost-of-quality-how-to-measure-it-in-line-with-iso-9001/ Before ISO 9001 I used the term “cost of quality” as a designation to the sum of cost of quality prevention (like training), quality control (like controller’s wages) and quality failure (like cost of defects and rework).

Cost of quality can be a quality objective.

Below, you can find more information about quality objectives:

- How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Quality objective

Good quality objectives derive from the quality policy. A good template should test this condition: which commitment of the quality policy is executed through this quality objective?

Good objectives should comply with the S.M.A.R.T (specific, measurable, achievable, realistic and time-based) test. A good template should test these conditions.

In my work with organizations I also include a time chart to answer to three important questions: what to do, by whom and until when.

A good template should also clarify upfront what resources are available to meet the objective.

Below, you can find more information about quality objectives:

- How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- What has changed with quality objectives in ISO 9001:2015? - https://advisera.com/9001academy/blog/2018/05/08/what-has-changed-with-quality-objectives-in-iso-90012015/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

BRM roles

Business Relationship Manager has following respoinsibilities:

• It coordinates activities with other Service Management roles and processes
• Identifies customer needs and ensures that company is able to meet those needs
• Ensures high level of customer satisfaction
• Establishes and maintains communication and constructive relationships with customers
• Understands customers and their business needs, recognizes new opportunities 
• Serves as a mediator for conflicts
• takes care about Customer satisfaction survey and Customer complaints

Following article can help you further: "ITIL Business Relationship Management – Know your customer" https://advisera.com/20000academy/blog/2014/05/14/itil-business-relationship-management-know-customer/