Search results

Toolkit content

The main difference between these three documents are:
- Risk Assessment and Risk Treatment Methodology Cloud covers not only requirements for ISO 27001, but also specific requirements applicable for cloud environments defined by ISO 27017 and for Personal Identifiable Information PII) defined by ISO 27018.
- Risk Assessment and Risk Treatment Methodology Premium covers not only requirements for ISO 27001, but also specific requirements applicable for business continuity defined by ISO 22301.
- Risk Assessment and Risk Treatment Methodology Integrated covers not only requirements for ISO 27001 but also specific requirements applicable for the protection of personal data defined EU GDPR.

You can see the specific requirements covered in each document in its own section 2 - Reference Documents.

Please note that these are slightly differences included to ensure the right references are included for each document, related to cloud, business continuity, and GDPR, but they practically do not have an impact on the methodology itself.

Surveillance audits

1. Does the external auditor have to do complete surveillance for all controls in the SOA the same as the first year of certification?

Only during certification audits, all controls in the SoA must be audited. During each surveillance audit, the auditor can cover only part of the controls, provided that all controls are audited during the certification cycle (e.g., if you have 3 surveillance audits between certification audits, all controls must be audited at least once in these three audits).

This article will provide you further explanation about surveillance audits:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

2. How long does it take to complete the surveillance audit with regard to the initial certification audit duration?

The total days to complete a surveillance audit will depend on the defined ISMS scope (e.g., number of locations, number of employees, etc.), so without detailed information, we cannot provide a precise answer for your case.

As a general example, we can say that if the certification audit took 5 days to be performed, the surveillance audits will take between 2 to 3 days.

Laboratory accreditation

Yes, ISO 17025 is generally the most appropriate standard for veterinary testing laboratories to develop and implement.  If however, a laboratory performs human medical and veterinary diagnostic testing, e.g. infectious diseases that can be spread from animals to humans, they could choose ISO 15189 (which is based on ISO 17025). 

The intergovernmental organization responsible for improving animal health worldwide, The World Organization of Animal Health (OIE), require veterinary testing laboratories to design and maintain an appropriate quality management system, irrespective of any requirement for formal accreditation. National legislation and regulatory body policies will regulate the need for accreditation, which is mandatory for laboratories that conduct tests for infectious animal diseases. Veterinary testing laboratory accreditation bodies align their requirements for accreditation with the World Organization of Animal Health (OIE) standard “Management and Technical Requirements”, as it contains the specific requirements unique to veterinary testing laboratories.

The following articles may be of interest:

• Six key benefits of ISO 17025 implementation - https://advisera.com/17025academy/blog/2019/10/18/six-key-benefits-of-iso-17025-implementation/
• Maintaining and improving quality management in laboratories according to ISO 17025:2017 -https://advisera.com/17025academy/blog/2019/08/30/iso-17025-maintenance-and-improvement-in-laboratories/

For some useful tools for planning ISO 17025 accreditation, have a look at:

• Project Plan for ISO/IEC 17025 implementation - https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation
• Checklist of ISO 17025 implementation steps - https://advisera.com/17025academy/blog/2019/08/28/checklist-of-iso-17025-implementation-steps/

Environmental aspects

What do you do in your work? 

You perform some activities and in doing so you use bulbs, fluorescent tubes and other materials.

An organization’s environmental aspects are all those elements that interact with the environment through its activities, products or services. For example, you, with your work as electrician, generate waste (used bulbs, fluorescent tubes, used paper and plastic packages).

Environmental impacts are the changes to the environment resulting from its environmental aspects.

First you should determine environmental aspects and impacts (waste, energy consumption, materials use, noise, water pollution, soil pollution, …)

Then you should evaluate which aspects are more significant and define what action plans are needed to avoid, control or reduce their impact.

The following material will provide you more information about aspects and impacts:

Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 27001 implementation

1. An educated guess for the duration and cost of the certification for our budget planning.

The time to implement ISO 27001 will depend on many variables, like the size of the organization, the complexity of the scope, the resources available, etc., but considering your scenario, the implementation duration can vary from 3 to 6 months.

To have an estimate based on your organization context, I suggest you to take a look at our free ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/

About implementation costs, there are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information (and you already provided quite a few), it's not possible to precise a value. What I can tell you are some cost issues you should consider:

    Training and literature
    External assistance
    Technologies to be updated/implemented
    Employee's effort and time
    The certification process

Regarding ISMS maintenance costs, the above-mentioned costs also have to be considered, but at different levels, and you have to add the surveillance audit costs for certification maintenance.

These articles can provide you more information:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/

2. Recommended roadmap in terms of your services/products offered.

I assume you are interested in ISO 27001 standard, therefore we would recommend our ISO 27001 Documentation Toolkit [https://advisera.com/27001academy/iso-27001-documentation-toolkit/] - it will provide you with step-by-step explanation of all activities you need to perform to become compliant, and it will give you all the documents you need for the certification audit.

Coding ISO 9001 documents

There is no universal rule to follow when coding ISO documents.

I can only tell you about my practice. 

ISO 9001:2015 invites us to follow the process approach. So, I model how the quality management system works, as a set of interrelated processes, and I code each process with a number and a verb+noun. Like:

1.Win order

2.Buy material

3.Provide service

4.Develop new service

5.Install service

Now I use that numbering as the basis for coding the documentation. Like, for example:

PD1.0 – Process Description 1 version 0.
Any work instruction related with Process Description 1 is coded as WI.1.1; WI 1.2; …

Forms, I code them with a serial number.

The following material will provide you information about the document control:

- ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- ISO 9001 blog – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Free webinar on demand - Free webinar – How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/
- Free online training ISO 9001:2015 Internal Auditor Course
– https://advisera.com/training/iso-9001-internal-auditor-course/  
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
 

Internal Audits

You can have one Internal Audit Report, you just need to have different audits for all three types of audits. The manufacturing process is not the same as product audit, in product audit you are auditing the product itself against specification you have.

Data subjects’ consent in a mobile app

The Regulation requires Privacy Notices to be concise, transparent, intelligible and easily accessible. The Regulation should standardize the content of your privacy notices, it is likely that they will still need to be translated into local languages if they are directed at a particular jurisdiction. In particular, it is hard to see how your notice can be “accessible” if it is in a language the individual does not understand. Similarly, in some Member States such as France, the use of a local language for consumers and employees is mandatory under consumer protection and employment law.

If you want to find out more about privacy notices check out this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/)

FOI legislation

Some of the documents in the Toolkit are meant to be public so there are no IPR issues here if the legal entity is bound by statutory requirements of transparency to make them public. The same goes for the other documents if there is a statutory legal requirement to make them available in certain cases.

Incident response plan

To build an Incident Response Plan you should consider the following information:
- Name, job title and contact information of personnel required to handle specific incidents (e.g., system/network administrator for IT-related incidents, facilities manager for premises related incidents, etc.).
- Which external parties should be contacted (e.g., customers, partners, media, public services/authorities, etc.), in which situation, through which communication channel (e.g., by phone, e-mail, press conference, etc.) and by whom.
- Types of incidents that should be handled by the plan (e.g., fire, premises evacuation, service failure, etc.)
- Details on how to treat each of the identified incident (e.g., for fire, summon the fire brigade, start premise evacuation, call fire department, etc.)

To see how an incident response plan looks like, please see this free demo: 
- Incident Response Plan https://advisera.com/27001academy/documentation/incident-response-plan/

These articles will provide you further explanation about incident management and response plan:
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/

These materials will also help you regarding incident management and response plan:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Writing a business continuity plan according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/