Search results

Establishing the context of an organization

When thinking about context, consider both internal and external topics. As internal topics think about weaknesses and strengths of your organization, things like experience, difficulties, successes.

As external topics think about opportunities or threats in the market, things like economic trends, technological evolution, legislation trends, social evolution. Check particularly the first link below.

The following material will provide you more information about context and interested parties:

- Article - Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf
- Article - How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

Internal audit report

Audit trail is part of the audit method. Audit method covers the definition of the audit scope, audit planning, audit execution, audit report, and audit follow up. The audit trail is created during audit execution (based on the item you mentioned, defined during audit planning). 

This article will provide you further explanation about internal audit: 
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

SOP approval signature needed or not

On company letterhead I would only add the logo of the organization to your list.

Normally, when I work with organizations, if they keep paper versions of the documentation, I just ask them to sign an original that will be kept as a record. Other paper versions aren’t signed, but they have to match version # and content with the original approved. 

I recommend that the signing, on paper or digital, should be done by the person with authority to make the content of the document an internal rule.

The following material will provide you with information about document control:
- Article - New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

- Article - Some Tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Business rules definition

As far as I understand your question, you are speaking about both ISO 9001:2015 clauses 4.4.1 c) and 9.1.1.

Organizations should define performance indicators for their processes. Those performance indicators can be presented in documents that describe each process or in tables that gather all performance indicators from all processes.

The following material will provide you more information about monitoring and measurement:

- Article - Practical tips for measuring your QMS according to ISO 9001:2015 clause 9.1 - https://advisera.com/9001academy/blog/2017/08/29/practical-tips-for-measuring-your-qms-according-to-iso-90012015-clause-9-1/
- Article - How to define Key Performance Indicators for a QMS based on ISO 9001 - https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
- Free webinar - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Differences in Risk Analysis

In terms of the requirements and purpose, there is no difference. Both ISO 9001 and ISO 17025 Standards require that organizations address risks and opportunities as relate to the organization achieving its objectives. The same or similar approaches can also be taken when performing risk analysis. In both cases, organizations are required to perform risk analysis by identifying risks and planning responses. Neither standard prescribes a specific approach or methodology.

For more information on the topic, have a look at these articles:

• Similarities and differences in risk management in ISO 9001, ISO 31000, and ISO 27001
  https://advisera.com/9001academy/blog/2016/10/25/similarities-and-differences-in-risk-management-in-iso-9001-iso-31000-and-iso-27001/
• How to address risks and opportunities in ISO 9001
  https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
• Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
• How to identify risk significance in ISO 9001:2015
  https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/

Intricate process for movement of documents

No, ISO 9001 does not include any intricate process for movement of documents. It is up to each organization to design the most useful, the most effective flow of documentation, both inside and with any outside interested parties, unless that flow is ruled by legislation or regulation. Please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ . You can see that mandatory documents are very few.

The following material will provide you more information about ISO 9001:2015:

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

Plan for Training and Awareness

You can consider these documents in the context of awareness and training in two ways:
- as individual documents, where you explain their purpose and how to fill them in
- as part of processes where they are required (e.g., new employee onboarding, and information exchange between an organization's employees and external parts).

As part of a process examples, in the first case, the new employees need to be aware of documents they need to sign. In the second case, employees working with third parties need to be aware of which documents they have to require from the third parties to sign before the organization's information be sent to them.

This article will also help you regarding awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

This material will also help you regarding awareness and training:
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

Retention period - Training and awareness plan

If there are no legal or contractual requirements for defining retention period for evidence of training and awareness activities, you can consider a three-year period aligned to the certification validity cycle.

This article will provide you further explanation about records management:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

Documents and records management

The first important tip for you is to review your current rules defined to comply with clause 7.5.3 (control of documented information). Since you seem to be having a problem with these issues they may be not properly adjusted to your context.

Considering electronic documents and records, if the quantity of them is not so big you can consider organizing them in folders identified by each section of the standard which requires them (e.g., in folder named "Information Security Policy" you can store the Information security policy, in folder "Risk assessment and Treatment" you can store documents and records related to the risk management process, etc.)

If the quantity of documents is big, you should consider a document management solution (you can see an example of such solution in our platform Conformio at this link: https://advisera.com/conformio/)

For physical records, you should consider a central cabinet to store them, adopting a folder structure similar to the electronic documents.

This article will provide you further explanation about document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ 

Review of information systems

I'm assuming you are referring to ISO 27001 Annex A section A.18.2 Information security reviews. Considering that, the internal audit is the process which covers the controls from this section. Considering that, the steps you must consider regarding ISO 27001 requirements are:
- Document review: to (1) become acquainted with the processes in the ISMS, and (2) to find out if there are nonconformities in the documentation with regard to the standard
- Creating the checklist: write requirements you must check during the audit
- Planning the audit: plan which departments and/or locations to visit and when
- Performing the audit: execute what was planned
- Reporting: to summarize all the nonconformities and relevant information you found
- Follow-up: to check whether all the corrective actions raised during the internal audit are closed

To see how an internal audit documentation looks like, please take a look at the free demo of our ISO 27001/ISO 22301 Internal Audit Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/

For further information also see:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- ISO 27001:2013 Internal auditor course https://advisera.com/training/iso-27001-internal-auditor-course/