Search results

Quality Objectives document numbering

Quality objectives must be documented, they are a mandatory document according to ISO 9001:2015.

As a document, quality objectives have to comply with clause 7.5 requirements, they must have an identification, a version and an approval. Now, it is up to each organization to establish how to do document control. Numbering is one possibility for identification, not a rule from the standard.

The following material will provide you more information about documentation:

- How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

ISO VS ISM certification

The ISM, International Safety Management Code for the Safe Operation of Ships and for Pollution Prevention  is an international standard for the safe management and operation of ships focused on the protection of the environment and the safety of the crew but also the equipment. This ISM Code is mandatory for vessels that are over 500 gross tonnages.

ISO 9001:2015 specifies requirements for a quality management system which ensures that a company provides products and/or services that meet customer requirements and any applicable statutory and regulatory requirements. The main goal of ISO 9001 is to enhance customer satisfaction. This standard is non mandatory for shipping.

The following material will provide you more information about the differences between ISO 9001 and ISM code:

-  Article - How ISO 9001 improves shipping procedures: https://advisera.com/9001academy/blog/2019/07/09/how-iso-9001-improves-shipping-procedures/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Privacy notice or privacy policy

Privacy Notices need to be addressed to and made available to the data subjects whose personal data is being processed by the data controlled. Depending on whose personal data you are processing you may need to provide a Privacy Notice to both external data subjects such as customers as well as employees.

You can find several templates of Privacy Notices in our EU GDPR Premium Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/)

A6.1.5 Information Security in Project Management

Here's the article that explains the details: How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/ 

For training and awareness you do not need to have a separate document for each project - it is enough to include training and awareness sessions that are needed for your projects to your existing training & awareness plan. 

Here you can find free awareness videos that can be helpful: https://advisera.com/training/awareness-session/security-awareness-training/ 

ISO 9001 & ISO 14001 Integrated manual

Neither ISO 9001:2015 nor ISO 14001:2015 have a mandatory requirement for the existence of a management system manual (MSM). So, organizations are free to decide if they have an MSM and what would be its content. In my work with organizations I recommend the use of MSM and in integrated systems I work with an integrated MSM, one manual for the whole (9001 and 14001) management system.

The following material will provide you more information about manuals:

- Article – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

- The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Offices relocating

Unfortunately we have no materials that would cover this case, however when you change an office the first step is to perform a new risk assessment for this new office - then, based on the newly identified risks you need to correct existing controls, or introduce new controls. 

This material will help you: Step-by-step explanation of ISO 27001 risk management https://info.advisera.com/27001academy/free-download/step-by-step-explanation-of-iso-27001-risk-management 

Documentation structure

The folders in the toolkit are intentionally marked with numbers because those folders indicate the most optimal sequence of implementing the standard - in other words, if you want to implement the standard in a quickest way, you should follow the folders as they are arranged. 

Those numbers are not related to the clauses of ISO 27001. To see which clauses are covered by each document, you should open the PDF document List of documents. 

It is not necessary for you to keep this numbering for your documents - you can use your own coding system. 

Approaching asset-based risk assessment for a cloud provider

How to approach asset-based risk assessment for a cloud provider like Microsoft Azure? 

To perform an asset-based risk assessment for a cloud provider you have to consider primarily the risk assessment of the assets controlled by your organization.

For example, for an IaaS cloud provider, where the provider controls the hardware and basic operational systems, this would mean to assess risks related to your data and the software applications you manage. In case it is a SaaS provider, where the provider controls the hardware and software, this would mean to assess risks related only to your data.

This article will provide you more information to understand this issue:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

What level of detail is recommended?

ISO 27001 does not prescribe levels of detail, so an organization is free to adopt any level of detail it sees fit. Our recommendation for you is to adopt a level of detail so you can have confidence you have sufficient information to identify relevant risks and proper security controls to be implemented by your organization and the cloud provider.

These articles will provide you a further explanation:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

Starting the Process of getting ISO 17025 Accreditation

To address your overall question of how to prove effective implementation of a system; it helps to ask the purpose of a specific requirement, i.e. why was it included in the ISO 17025 standard? This will help you work out what evidence you should provide.

Regarding the impartiality clause, the overall purpose is to protect all involved (interested) parties, whether a staff member, customer, company or another group; to ensure there is no unfair influence on any of the laboratory activities. This means that the laboratory must not engage in any activities that could compromise fairness.  It requires that conflicts of interest do not exist (for example the laboratory financial manager, who is also the director of one of the laboratory service providers, should not be responsible for the performance evaluations of service providers). 

The following are ways to demonstrate that all laboratory activities are undertaken in a fair manner, being unbiased and non-discriminatory:
1. Commitment to impartiality. Show this through the way the laboratory is organized (personnel structure), established ethics and quality policies and awareness discussions with personnel. Include impartiality on the agenda for regular quality meetings and management reviews. Establish and retain records of signed personnel declarations, training and minutes of meetings, including management reviews, as suitable evidence.
2. Management of risks to impartiality. Records of internal audits, management reviews, risk assessments and feedback from involved parties are suitable evidence that risks to impartiality are being managed.  Consider financial, commercial, or other pressures that may compromise impartiality. Organizational ownership, governance, marketing, contracts, finances and shared resources between departments must be assessed. You will show that the laboratory eliminates or minimizes risks to impartiality by separating conflicting activities through changing a process or changing personnel reporting lines and authorizations. Even if the initial risk assessment shows no apparent risks to treat, management is demonstrated by monitoring activities to identify possible threats to impartiality that may have arisen from laboratory or personnel relationships; on an ongoing basis. These must include regular customer and employment contract review to identify and treat new impartiality risks.

The following ISO 17025 article provides further insight on how to manage risks, applicable to impartiality as well:

Five-step laboratory risk management according to ISO 17025:2017 https://advisera.com/17025academy/blog/2019/12/05/iso-17025-risk-management-in-five-steps/ 

The following ISO 17025 toolkit procedure and template may be of interest: 

Addressing Risks and Opportunities Procedure at https://advisera.com/17025academy/documentation/addressing-risks-and-opportunities-procedure/
ISO 17025 document template: Registry of Key Risks and Opportunities at https://advisera.com/17025academy/documentation/registry-of-key-risks-and-opportunities/

ISO 27001 & ISO 20000 implementation duration

Implementation duration depends on the size of the company, but also your experience in such projects, and some other factors. 

This article will help you: How long does it take to implement ISO 27001 https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/ - for implementing both ISO 27001 and ISO 20000 you will need 30% more time than for only one standard.