Search results

Documentation maintenance

There is no definitive timeline given for document retention in AS9100, since this will be different from document to document. You need to determine the retention or each document you create, with information coming from customer or legal requirements. For instance, contracts should tell you how long to keep records for that contract, and there are many aviation requirements to keep records for the lifetime of the aircraft. Whereas, some countries have a seven-year retention for financial documents. If you have no legal or contractual requirements telling you how long to keep a specific record, such as older versions of procedures that you have changed, then it is up to you to determine a retention time (we suggest 3 years)

You can find out more about the new documentation requirements in this article; A new approach to document and record control in AS9100, https://advisera.com/9100academy/knowledgebase/new-approach-to-document-and-record-control-in-as9100/

IATF 16949 Certification

I am assuming that you are referring to ISO 9001 certification. Congratulation on certification!

There is no restriction prior to IATF certification, just make sure you are aligned with all its requirements. 

For more information, take a look at our article: ISO 9001 vs IATF 16949 what is the difference: https://advisera.com/16949academy/blog/2019/11/19/iso-9001-vs-iatf-16949-what-is-the-difference/  

Article Checklist of IATF 16949:2016 implementation steps, also, may help:

https://advisera.com/16949academy/knowledgebase/checklist-of-iatf-16949-2016-implementation-steps/

Documenting procedures

No, ISO 9001:2015 has no mandatory requirements about documented procedures. Even about work instructions or standard operating procedures, please check ISO 9001:2015 clause 4.4.2 where you can see that each organization has the authority to determine if a particular documented procedure or instruction is needed.

The following material will provide you information about required documentation:

- ISO 9001 – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Acceptable Exclusion

ISO 9001:2015 no longer uses the word “exclusion”. 

Does this mean that all clauses in the standard apply to an organization's quality management system (QMS)? No!

ISO 9001:2015 abandoned the word exclusion but introduced the word "applicability". Please check Annex A5 of ISO 9001:2015.

An organization can decide that a particular clause is not applicable if it is not relevant within its QMS scope. Please check slides 17 and 18 (one about tailoring the scope and the other about applicability) in this free webinar on demand - ISO 9001:2015 clause 4 (Context of the organization, interested parties and scope) –https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/

Obtaining management support

To obtain support from top management to implement ISO 27001/ISO 22301, it is very important to show the benefits of standard's implementation, which basically are:
- improvement of marketing edge
- decrease of costs with incidents
- decrease of effort to comply with legal requirements
- improvement of internal organization

This article can provide additional information: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

This free webinar will help you to know more about the benefits of ISO 27001:
- ISO 27001 benefits: How to obtain management support https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/

Segregation of duties, cyber security and business size

1. I need just a document on segregation of duties with regards to Management of IT and IT Security?

 In case the segregation of duties is needed, our recommended approach is to define the segregation in the specific documents where it is required (e.g., policies and procedures), instead of using a single document to centralize the segregation you need. This way people will focus on the specific documents they need to follow, instead to consult multiple documents. This also decreases the administrative effort to manage documents and the risk of information inconsistency.

As an example of segregation of duties directly in the document, I can mention the backup policy, where you can define that one person is responsible for creating backups and another person is responsible for testing them. Another example is the document control procedure, where you can define that one person is responsible for creating documents and another person is responsible for approving them.

For further information, see:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

2. Who is responsible for the drafting of the Cyber Security Management policy?

 ISO 27001 does not prescribe who must elaborate required documents, so you can define any person your organization sees fit, provided he/she has the proper competence to do so (by means of experience, training or acquired knowledge). Considering this specific document, and if you have these roles in your organization, the responsible person may be the information security responsible or the IT responsible.

For further information, see:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

3. What defines a small to medium business the no. of people or geographical or both?

The most general parameters used to define the size of an organization are number of employees and its complexity, which can be evaluated by items like its internal processes and geographical distribution (e.g., sometimes an organization has few employees, but if they are working from remote locations, it is more complex to manage than an organization with more employees that work in the same location).

For the purposes of our toolkit, it was developed considering small to medium business companies up to 500 employees.

Documenting information

If your current documentation fulfills the requirements from clause 7.5 (e.g., documents are identified, reviewed and approved, protected, etc.), then you do not need to create additional documents with the same information. And if your current documentation does not fulfill clause 7.5 requirements, normally is more productive to implement the requirements in this documentation than creating new documents

This article will provide you further explanation about document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Legal requirements

First is important to note that the list in the article you've mentioned does not cover all countries nor is fully up-to-date because it depends on voluntary contributions from our readers. To make sure you have the latest list of laws and regulations, when which one applies to specific industries, it would be best to hire a local legal adviser.

Obtaining management support for an ISMS

First is important to note that before go for for the scope of the ISMS, and talk about assets, you need to convince top management to support ISO 27001 in terms of business benefits, like:
- improvement of business opportunities
- decrease of costs with incidents
- decrease of effort to comply with legal requirements
- improvement of internal organization

Considering that, your text for the goal of the project could be rephrased like:
- Information Security Management System applicable to improve business opportunities related to the provision of our IT Services
- Information Security Management System applicable to decrease the costs of incidents related to our IT Services.

As for the ISMS scope it is not enough, becuse the standard requires you to consider also other aspects. For additional information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

 These articles will provide you further explanation about obtaining support of top management:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/

These materials will also help you to have an idea on how to present ISO 27001 to your management:
- Project proposal for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-implementation-powerpoint
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/

Control of non-conformities

Consider the following picture:

Clause 8.7 is not about product non-conformities specifically, that is why the standard uses the word output and not the word product or the word service. So, perhaps what you classify as “The other type of nonconformities” are outputs where clause 8.7 applies.
 
Clause 8.7 applies always, whatever the organization is. What can be very different is what is meant by output.