Search results

Internal Quality Audit

It is possible to use an untrained auditor as part of his training program as a trainee auditor with the surveillance of experienced mentors.

For more information read our article: Requirements for the competence of IATF 16949 Internal auditors https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/ 

Please also consider our article: „IATF 16949 audit types & how they affect process improvement“ https://advisera.com/16949academy/blog/2017/11/01/iatf-16949-audit-types-how-they-affect-process-improvement/ 

Green house reaching ISO 9001

Yes, ISO 9001 is applicable to any kind of organization, profit or nonprofit, in any economic sector.

The following material will provide you information about ISO 9001:

- What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
- Free webinar – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Timeline to close CAPA

I agreed when you stated that businesses should gather data about the happening of the problem. My friend wants to have CAPA Software to streamline their processes. I should advise him to go for it to predict challeges.

Customer complaint as a non-conformity

Yes, it is a special case of non-conformity, what ISO 9001:2015 clause 8.2.1 c) calls a complaint. After investigation your organization can conclude that there is no responsibility but until then it is a non-conformity, one that organizations want to avoid.

The following material will provide you information about the risk-based approach:

ISO 9001 – Effective complaints management in a QMS - https://advisera.com/9001academy/blog/2014/09/16/effective-complaints-management-qms/
Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Justification in the SoA

1. Some of the Annex A clauses are worded as if they are mandatory; for example, 5.1.1: "A set of policies for information security shall be defined [...]". Is it acceptable to justify selection on the basis that this is a mandatory element of 27001?

 Please note that a control from ISO 2701 Annex A is mandatory only if:
- There are unacceptable risks that require the implementation of the control
- There are legal requirements that require the implementation of the control
- There is a top management decision that requires the implementation of the control

These are acceptable justifications to apply a control.

If none of the above mentioned occurs, you do not need to implement the control. What happens is that once a control is deemed as applicable, then all "shall" related items are mandatory to be implemented.
 
 This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2. We have multiple risks associated with the same vulnerability (as expected); for example, the vulnerability “inadequate protection from unauthorized access” occurs many times. Is it acceptable to justify on the basis of 'All risks associated with “inadequate protection from unauthorized access”' rather than itemize each risk?"

This approach is not acceptable because it does not allow an easy identification of which risks are related to the applied control. In this case, you can only mention in the SoA the ID of the risks listed in the risk treatment plan. For example, "Control X is applicable because of unacceptable risks 23, 35 and 47 listed in the risk treatment plan".

This article will provide you further explanation about SoA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Recommended file/folder structure

To see a folder structure on how organize ISO 27001 required documents, as well as examples of documents in the formats used by Office 365, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

This toolkit contains all required documents to be compliant with ISO 27001 requirements, as well as the most commonly used documents. All of them are organized in a folder structure considering the order on which they have to be implemented, which makes locating them easier.

This article will provide you further explanation about ISO 27001:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- If someone wants to know the steps in the implementation ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Whenever a person is a very beginner and is asking some general questions Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Organization risk assessment

May I know if for internal audit, do I need to do an audit for all departments or only selected departments for yearly and re-certification audits?

Answer:

All departments included under the scope of the quality management system should be audited at least yearly.

Another is what is a proper way to check and document the internal audit findings and ensure all is okay to close all the findings?

Answer:

Auditors document internal audit findings in an audit report. Normally, then, organizations transfer negative findings into an audit nonconformity form where the treatment is recorded. Each negative finding should be closed after verifying implementation of correction and verifying implementation and effectiveness of corrective actions.

What is a suitable time frame to conduct an internal audit?

Answer:

Some organizations do a yearly internal audit. Normally, around one month before the management review. Other organizations do a set of small audits during the year, in that case the set of audits includes all departments under the scope of the quality management system. In this case, audits should be distributed according to availability of auditors and to minimize disruption of operations.

How long do I need keep findings for yearly internal audit?

Answer:

Each organization has the authority to define the record keeping time. I suggest 4 years, just to ensure that all internal audit records generated during the 3-year certification cycle are available for consultation.

I would like to invite you to a webinar about internal audits that will take place today - How to perform an ISO 14001:2015 internal audit [free webinar] - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar/

Purpose of requirements

ISO 45001:2018 is designed to be applicable to any company, in any industry, in any location around the world. Since the OH&S legal requirements are different from company to company, and location to location, the ISO 45001 standard can’t dictate which laws are applicable, but for OH&S it is critical that you know the laws that apply to you, keep up to date when they change, and comply with these legal requirements. That is why the ISO 45001 requirement it to identify your applicable legal and other requirement, keep up to date on them, and ensure you meet them. You do not need to have a register of these applicable requirements, but this is one easy way to know the list of what is applicable and when it was last updated so that you know you are up to date.

For more on meeting the ISO 45001 standard for OH&S legal requirements, see the article: How to identify and comply with legal requirements in ISO 45001, https://advisera.com/45001academy/blog/2015/06/24/how-to-identify-and-comply-with-legal-requirements-in-iso-45001/

Management review

An example of monitoring results are the total downtime of a critical information system and the evaluation would be the explanation of the main causes of reported downtime.

Another example of monitoring results are the results of a vulnerability test and the evaluation would be the explanation of the meaning of the results to the general performance of security controls.

Information like those are important because they help top management to decide whether the ISMS is fulfilling its objectives, which improvements are needed, changes to the scope, approval of the required resources, modification to the main documents (e.g., top-level policies), etc.

This article will provide you further explanation about management review:
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

ISO 27000 definition

First of all, thanks for this feedback.

Before answering your points, it is important to note that the definitions presented in the article are based on ISO 27000 standard, which defines vocabulary for Information Security Management based on ISO 27001. You can see this standard at this link: https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:en

Now analyzing your text:

When Rhand says that, an event has to be related to the possible failure of controls or “compromise of policies” is like saying that an incident is just a lot of events, or that all events are really junior incidents.

I understand that you are referring to this part of the article:

"Information security event: any occurrence related to assets or the environment indicating a possible compromise of policies or failure of controls, or an unmapped situation that can impact security."

Please note that the text refers explicitly to "information security event", not "event". The ISO 27000 defines them differently:
- event: occurrence of, or change in, a know/expected situation (perceive it does not mention the impact or possible impact on security).

So neither the standard and the text do not say that all events are junior incidents.

For me, non-compliance is something, which is not in accordance with a standard or policy.

Please note that for ISO 27000 a nonconformity means not fulfilling a requirement, which also can be related to contractual or legal requirements (which are mandatory), not only standards and policies (which organization decides to follow). So, controls may be performing in accordance with defined standards and policies but you still may have a nonconformity if a contractual clause or law/regulation is not being followed.