Search results

Documenting procedures

No, ISO 9001:2015 has no mandatory requirements about documented procedures. Even about work instructions or standard operating procedures, please check ISO 9001:2015 clause 4.4.2 where you can see that each organization has the authority to determine if a particular documented procedure or instruction is needed.

The following material will provide you information about required documentation:

- ISO 9001 – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Acceptable Exclusion

ISO 9001:2015 no longer uses the word “exclusion”. 

Does this mean that all clauses in the standard apply to an organization's quality management system (QMS)? No!

ISO 9001:2015 abandoned the word exclusion but introduced the word "applicability". Please check Annex A5 of ISO 9001:2015.

An organization can decide that a particular clause is not applicable if it is not relevant within its QMS scope. Please check slides 17 and 18 (one about tailoring the scope and the other about applicability) in this free webinar on demand - ISO 9001:2015 clause 4 (Context of the organization, interested parties and scope) –https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/

Obtaining management support

To obtain support from top management to implement ISO 27001/ISO 22301, it is very important to show the benefits of standard's implementation, which basically are:
- improvement of marketing edge
- decrease of costs with incidents
- decrease of effort to comply with legal requirements
- improvement of internal organization

This article can provide additional information: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

This free webinar will help you to know more about the benefits of ISO 27001:
- ISO 27001 benefits: How to obtain management support https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/

Segregation of duties, cyber security and business size

1. I need just a document on segregation of duties with regards to Management of IT and IT Security?

 In case the segregation of duties is needed, our recommended approach is to define the segregation in the specific documents where it is required (e.g., policies and procedures), instead of using a single document to centralize the segregation you need. This way people will focus on the specific documents they need to follow, instead to consult multiple documents. This also decreases the administrative effort to manage documents and the risk of information inconsistency.

As an example of segregation of duties directly in the document, I can mention the backup policy, where you can define that one person is responsible for creating backups and another person is responsible for testing them. Another example is the document control procedure, where you can define that one person is responsible for creating documents and another person is responsible for approving them.

For further information, see:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

2. Who is responsible for the drafting of the Cyber Security Management policy?

 ISO 27001 does not prescribe who must elaborate required documents, so you can define any person your organization sees fit, provided he/she has the proper competence to do so (by means of experience, training or acquired knowledge). Considering this specific document, and if you have these roles in your organization, the responsible person may be the information security responsible or the IT responsible.

For further information, see:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

3. What defines a small to medium business the no. of people or geographical or both?

The most general parameters used to define the size of an organization are number of employees and its complexity, which can be evaluated by items like its internal processes and geographical distribution (e.g., sometimes an organization has few employees, but if they are working from remote locations, it is more complex to manage than an organization with more employees that work in the same location).

For the purposes of our toolkit, it was developed considering small to medium business companies up to 500 employees.

Documenting information

If your current documentation fulfills the requirements from clause 7.5 (e.g., documents are identified, reviewed and approved, protected, etc.), then you do not need to create additional documents with the same information. And if your current documentation does not fulfill clause 7.5 requirements, normally is more productive to implement the requirements in this documentation than creating new documents

This article will provide you further explanation about document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Legal requirements

First is important to note that the list in the article you've mentioned does not cover all countries nor is fully up-to-date because it depends on voluntary contributions from our readers. To make sure you have the latest list of laws and regulations, when which one applies to specific industries, it would be best to hire a local legal adviser.

Obtaining management support for an ISMS

First is important to note that before go for for the scope of the ISMS, and talk about assets, you need to convince top management to support ISO 27001 in terms of business benefits, like:
- improvement of business opportunities
- decrease of costs with incidents
- decrease of effort to comply with legal requirements
- improvement of internal organization

Considering that, your text for the goal of the project could be rephrased like:
- Information Security Management System applicable to improve business opportunities related to the provision of our IT Services
- Information Security Management System applicable to decrease the costs of incidents related to our IT Services.

As for the ISMS scope it is not enough, becuse the standard requires you to consider also other aspects. For additional information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

 These articles will provide you further explanation about obtaining support of top management:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/

These materials will also help you to have an idea on how to present ISO 27001 to your management:
- Project proposal for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-implementation-powerpoint
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/

Control of non-conformities

Consider the following picture:

Clause 8.7 is not about product non-conformities specifically, that is why the standard uses the word output and not the word product or the word service. So, perhaps what you classify as “The other type of nonconformities” are outputs where clause 8.7 applies.
 
Clause 8.7 applies always, whatever the organization is. What can be very different is what is meant by output.

KPI vs Quality Objective

Quality objectives are overall goals or targets stated by the organization in order to achieve improvement within the QMS. A key performance indicator (KPI) is a metric used to evaluate factors that are crucial for the objective to be fulfilled. So, each objective can have one or more KPI. For example, objective can be to have highly educated employees. KPI's for this objective can be a percentage of employees actually trained in a given period, the number of certificates awarded to them, or the number of publications and conference contributions published by employees of the company. 

Quality objectives have a strategic role in carrying out the quality policy and its implementation through a quality management system and provide a means to assess whether the QMS achieves its goals. There is no prescribed how many objectives you need to have, it is totally up to the management decision. Standard goals can be: meeting customer and regulatory requirements, achieving the improvement of the QMS and its products, and enhancing customer satisfaction. 

In this article, you have more information about setting good quality objectives:

Setting good quality objectives for ISO 13485 https://advisera.com/13485academy/knowledgebase/setting-good-quality-objectives-for-iso-13485/ 

Although these articles are related to ISO 9001, they can help you to understand the differences between objectives and KPIs:
How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
How to write good quality objectives: https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/

Process element

1.I would start by gathering a group of people, that know the organization, and drawing a model of how the organization works.

2.For each process I would consider its purpose and undesired results to determine process objectives

3.Based on expected and undesired results I would determine a set of risks and opportunities.

Please consider watching this free on demand webinar - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ - where I show how to do steps 1 and 3 (slides 12 and 14). On another free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015- https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/ - I show how to do step 2 (slide 10).

The following material will provide you more information about processes and risks:

- How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/