Search results

Accreditation bodies for training providers

The value added to a certification regarding its accreditation body will depend on the marketing or industry you are considering.

Considering ISO 27001 personal certification, the most recognized accreditation bodies for training providers are IRCA, PECB, and Exemplar Global (formerly RABQSA).

This article will provide you further explanation about ISO27001 lead auditor course:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

This material will also help you regarding ISO27001 lead auditor course:
- ISO 27001 Lead Auditor course https://advisera.com/training/iso-27001-lead-auditor-course/

ISO 27001 Implementation Committee

ISO 27001 does not prescribe how an organization must define its information security structure, only that relevant responsibilities related to information must be defined, so organizations are free to define them as they see fit.

Considering this, your suggested areas are acceptable if your organization is a small or medium one (i.e., up to 500 employees). Please note that a committee's role is most related to making decisions about implementation steps, not executing them (this is part of the implementation team's responsibilities).

This article will provide you further explanation about responsibilities in an ISO 27001  implementation project:
- RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/

These materials will also help you regarding ISO 27001  implementation project:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Internal Quality Audit

It is possible to use an untrained auditor as part of his training program as a trainee auditor with the surveillance of experienced mentors.

For more information read our article: Requirements for the competence of IATF 16949 Internal auditors https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/ 

Please also consider our article: „IATF 16949 audit types & how they affect process improvement“ https://advisera.com/16949academy/blog/2017/11/01/iatf-16949-audit-types-how-they-affect-process-improvement/ 

Green house reaching ISO 9001

Yes, ISO 9001 is applicable to any kind of organization, profit or nonprofit, in any economic sector.

The following material will provide you information about ISO 9001:

- What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
- Free webinar – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Timeline to close CAPA

I agreed when you stated that businesses should gather data about the happening of the problem. My friend wants to have CAPA Software to streamline their processes. I should advise him to go for it to predict challeges.

Customer complaint as a non-conformity

Yes, it is a special case of non-conformity, what ISO 9001:2015 clause 8.2.1 c) calls a complaint. After investigation your organization can conclude that there is no responsibility but until then it is a non-conformity, one that organizations want to avoid.

The following material will provide you information about the risk-based approach:

ISO 9001 – Effective complaints management in a QMS - https://advisera.com/9001academy/blog/2014/09/16/effective-complaints-management-qms/
Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Justification in the SoA

1. Some of the Annex A clauses are worded as if they are mandatory; for example, 5.1.1: "A set of policies for information security shall be defined [...]". Is it acceptable to justify selection on the basis that this is a mandatory element of 27001?

 Please note that a control from ISO 2701 Annex A is mandatory only if:
- There are unacceptable risks that require the implementation of the control
- There are legal requirements that require the implementation of the control
- There is a top management decision that requires the implementation of the control

These are acceptable justifications to apply a control.

If none of the above mentioned occurs, you do not need to implement the control. What happens is that once a control is deemed as applicable, then all "shall" related items are mandatory to be implemented.
 
 This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2. We have multiple risks associated with the same vulnerability (as expected); for example, the vulnerability “inadequate protection from unauthorized access” occurs many times. Is it acceptable to justify on the basis of 'All risks associated with “inadequate protection from unauthorized access”' rather than itemize each risk?"

This approach is not acceptable because it does not allow an easy identification of which risks are related to the applied control. In this case, you can only mention in the SoA the ID of the risks listed in the risk treatment plan. For example, "Control X is applicable because of unacceptable risks 23, 35 and 47 listed in the risk treatment plan".

This article will provide you further explanation about SoA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Recommended file/folder structure

To see a folder structure on how organize ISO 27001 required documents, as well as examples of documents in the formats used by Office 365, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

This toolkit contains all required documents to be compliant with ISO 27001 requirements, as well as the most commonly used documents. All of them are organized in a folder structure considering the order on which they have to be implemented, which makes locating them easier.

This article will provide you further explanation about ISO 27001:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- If someone wants to know the steps in the implementation ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Whenever a person is a very beginner and is asking some general questions Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Organization risk assessment

May I know if for internal audit, do I need to do an audit for all departments or only selected departments for yearly and re-certification audits?

Answer:

All departments included under the scope of the quality management system should be audited at least yearly.

Another is what is a proper way to check and document the internal audit findings and ensure all is okay to close all the findings?

Answer:

Auditors document internal audit findings in an audit report. Normally, then, organizations transfer negative findings into an audit nonconformity form where the treatment is recorded. Each negative finding should be closed after verifying implementation of correction and verifying implementation and effectiveness of corrective actions.

What is a suitable time frame to conduct an internal audit?

Answer:

Some organizations do a yearly internal audit. Normally, around one month before the management review. Other organizations do a set of small audits during the year, in that case the set of audits includes all departments under the scope of the quality management system. In this case, audits should be distributed according to availability of auditors and to minimize disruption of operations.

How long do I need keep findings for yearly internal audit?

Answer:

Each organization has the authority to define the record keeping time. I suggest 4 years, just to ensure that all internal audit records generated during the 3-year certification cycle are available for consultation.

I would like to invite you to a webinar about internal audits that will take place today - How to perform an ISO 14001:2015 internal audit [free webinar] - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar/

Purpose of requirements

ISO 45001:2018 is designed to be applicable to any company, in any industry, in any location around the world. Since the OH&S legal requirements are different from company to company, and location to location, the ISO 45001 standard can’t dictate which laws are applicable, but for OH&S it is critical that you know the laws that apply to you, keep up to date when they change, and comply with these legal requirements. That is why the ISO 45001 requirement it to identify your applicable legal and other requirement, keep up to date on them, and ensure you meet them. You do not need to have a register of these applicable requirements, but this is one easy way to know the list of what is applicable and when it was last updated so that you know you are up to date.

For more on meeting the ISO 45001 standard for OH&S legal requirements, see the article: How to identify and comply with legal requirements in ISO 45001, https://advisera.com/45001academy/blog/2015/06/24/how-to-identify-and-comply-with-legal-requirements-in-iso-45001/