Search results

Risk assessment process

Considering the most common steps for implementation of ISO 27001, the following mandatory documents must be available before risk assessment starts:

• Scope of the ISMS (clause 4.3)
• Information security policy and objectives (clauses 5.2 and 6.2)

The risk assessment and risk treatment methodology is not a mandatory document (the standard only requires the process to be defined and implemented), but it is considered a good practice to have the methodology documented.

The Scope will define which assets and/or processes are included in the ISMS, which is the base for doing the risk assessment. The Information security policy will define basic responsibilities. 

This article will provide you a further explanation about implementation steps:

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ 
• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding implementation steps:

• Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Sign-offs on procedure

One should consider two topics: authority and implementation effectiveness.

ISO 9001:2015 requires that documents belonging to a quality management system have to be approved by an authorized role. Having just a signature evidencing approval by an authorized role is enough. ISO 9001:2015 does not require elaboration and verification signatures.
A good implementation practice, to avoid resistance and/or mistakes, is to ask departmental participation during the development of a procedure.
 

The following material will provide you more information about document control:

- Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
- How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
 

Analyzing implemented standards

ISO 9001:2015 and ISO 14001:2015 are two standards among many other ISO standards. To confirm, please check the certificates, there you can confirm the standards identity.

The following material will provide you more information about those standards:

- What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
- What is ISO 14001? - What is ISO 9001? - https://advisera.com/14001academy/what-is-iso-14001/
- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
- Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

RTO and MAO

 Considering ISO 22300 vocabulary (which can be found here: https://www.iso.org/obp/ui/#iso:std:iso:22300:ed-2:v1:en)

• MAO: maximum acceptable outage, the time it would take for adverse impact to become unacceptable
• RTO: recovery time objective, the period of time following a disruptive event within which operation is resumed, or resources are recovered.

Considering these definitions, the RTO value only makes sense if it is smaller than MAO, so RTO cannot be greater than MAO.

In fact, there is a note for RTO in the standard defining this relation: the recovery time objective is less than the time it would take for the adverse impacts to become unacceptable.

For further information about RTO, see:

• What is the difference between the Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

2016 version vs 2018 version

There does not seem to be a difference in the requirements these two standards, as both are equivalent to AS 9100 Rev D. There may be some changes in the appendix information because the transition period for AS9100 Rev D is over, but this does not change any requirements for the QMS.
You can learn more about the AS9100 standard, see the whitepaper: Clause-by-clause explanation of AS9100 Rev D, https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d
For help implementing the standard, our book may be useful: Applying AS9100 Rev D, https://advisera.com/books/applying-as9100-rev-d/

Risk Assessment software

Small and medium-size companies in most cases do not have a big number of risks to justify the use of software for risk assessment, and the features of a spreadsheet are sufficient to perform the process.

For risk assessment and treatement you can use the following templates in your toolkit:

• Risk Assessment and Risk Treatment Methodology
• Appendix 1 – Risk Assessment Table
• Appendix 2 – Risk Treatment Table
• Appendix 3 – Risk Assessment and Treatment Report

These documents are located on folder 10 - Risk Assessment and Risk Treatment.

Parental information

First of all, consider that the data process of minors is lawful under GDPR when the child is at least 16 years old. Under the age of 16 years old, you will require their parent consent (in such case, you can have access to their parents’ email).According GDPR, you can require parents' email but you cannot use it for marketing activity without their consent.

In fact, you need to consider that for targeted marketing activity the GDPR requires the consent of the targeted person so that children and parents need to flag the box wishing to receive your advertising.

In such form, to be GDPR compliant, you should ask for consent from prospective students and/or parents, also adding a box to flag for marketing purposes. You should inform them about the data process in your privacy notice.

For more information, please see these materials:

•  How does GDPR impact marketing activities?: https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/
• Email marketing in the era of GDPR – How to ensure compliance?: https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/
• How does GDPR affect digital marketing? https://advisera.com/eugdpracademy/blog/2019/02/20/how-does-gdpr-affect-digital-marketing/
• ART 8 GDPR: https://advisera.com/eugdpracademy/gdpr/conditions-applicable-to-childs-consent-in-relation-to-information-society-services/
• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
• EU GDPR document template: Parental Consent Form https://advisera.com/eugdpracademy/documentation/parental-consent-form/

IS Manager role

First is important to note that ISO 27001 does not require a company to nominate a person to manage information security (for small companies a specific role would be overkill), so this role can be performed by an existing role.

Examples of what this person could do (divided by ISO 27001 sections) are:Compliance:

• Develop the list of interested parties related to information security
• Develop the list of requirements from interested parties

Documentation:

• Propose the draft of main information security documents
• Be responsible for reviewing and updating the main documents

Risk management:

• Teach employees how to perform a risk assessment
• Coordinate the whole process of risk assessment

These articles will provide you further explanation about the IS manager role:

• What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
• Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

These materials will also help you regarding IS manager role:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

IATF 16949 Tool tryout

Tool tryout is one of the process stages for manufacturing process approval. This stage is part of the 8.3  IATF requirement, namely 8.3.3.2 Manufacturing process design inputs and 8.3.5.2 Manufacturing process design output.

Typically consists of a sequence of sample production with the objective of making corrections in the tool and placing the part according to the drawing specification. If the customer determines a method to perform the tryout, for example, run@rate or batch production, it must be followed.

Adapting QMS from Parent Company to Subsidiary

There is not really a detailed procedure to migrate a parent company QMS to a subsidiary. In general, the steps you need to take would be:

1. Identify the existing processes that are relevant to your QMS and transfer them over.

2. Perform a gap analysis to see what else is missing from your QMS that is required by AS9100.

3. Put in place the missing elements of the QMS.

4. Ensure everyone is trained in the changes or additions to the QMS so that they know what they need to do.

To help make sure you are not missing anything after the transfer, see this helpful listing of the mandatory documents: AS9100 Rev D List of Mandatory Documents, https://info.advisera.com/9100academy/free-download/as9100-rev-d-list-of-mandatory-documents

You can also see our book on implementing AS9100: Applying AS9100 Rev D, https://advisera.com/books/applying-as9100-rev-d/