Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Code of Conduct

    First is important to note that ISO 27001 does not require a Code of Conduct.

    Regarding information security, all necessary security rules to be compliant with ISO 27001 are already covered through Conformio documentation (the document that covers general security rules for all employees is IT Security Policy), and writing another document to cover security rules would only increase administrative effort. 

    In case you want to create a Code of Conduct to cover non-security topics, you should:

    • identify the practices and behaviors the organization expects from its employees, contractors, customers, and suppliers.
    • define how to approach these requirements considering the organizational culture and available resources

    To help you with that you can assess legal requirements (e.g., laws, regulations, and contracts) the organization needs to fulfill, as well as map internal and external relationships you need to maintain.

    Examples of topics to be considered are:

    • Unacceptable behaviors and their consequences
    • Legal compliance
    • Employee rights
    • On-the-job training guidelines
    • Internal practices (e.g., dress code, inclement weather policy, etc.)
    • External practices (e.g., contact with authorities, etc.)

    This article will provide you with further explanation about developing documents (it is focused on the development of ISO 27001 documents, but you can apply these concepts for non-information security topics):

  • Implemention of ISO 17025

    You asked

    How we merge the two system in records and procedures and we have to point it out  in the quality manual , or every system ISO 9001 and ISO 17025  should be separate in their  records and procedures.

    This will depend on your organisational structure and whether ISO 9001 applies to just the laboratory, or to other departments in the organisation. If the same person is responsible for both systems and you wish to integrate them then, just add the required document and record you need for ISO 17025. I then recommend rewriting the Quality Manual to have one manual to cover both ISO 17025 and 9001 systems.  If there are different people responsible for each then keep the manuals separate and in the ISO 17025 quality Manual refer to the ISO 9001 manual for overlapping approaches such as handling complaints, procurement, and certain personnel requirements (e.g recruitment). Have a look at a previous question and answer for more information at https://community.advisera.com/topic/design-development and https://community.advisera.com/topic/are-there-any-things-in-iso-9001-not-covered-by-iso-17025

    You also asked

    The second question :  we want to participate in PT ,Profechency Test  in food analysis ,cosmetic ,detergents , paints ,lubricants oil  , textile, leathers, paper , construcure analysis field , could you recommend  some of PT service  providers.

    This is a very broad scope. I suggest you speak to your selected or an accreditation body in your region. You can also search for accredited u Proficiency Scheme providers on the accreditation body websites .
    You should also have a look at the Proficiency Testing (PT) scheme database, EPTIS. at https://www.eptis.org/about.htm. This should be helpful.

    You also asked

    could I see a simplified way to write a plan to implement the international standard ISO 17025

    Have a look at the Project Plan for ISO/IEC 17025 implementation as well as the very useful Project checklist for ISO 17025 implementation. They are available to download for free at https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation and https://info.advisera.com/17025academy/free-download/project-checklist-for-iso-17025-implementation.

    Lastly, you asked

    If a new employee occupies a quality manager, should it be within his plan to make sure that the work in the laboratory is done correctly and to follow up to what extent the previous quality manager applied the requirements of ISO 17025 to know what has been achieved and what needs to be completed, or works directly on preparation for proficiency tests According to the administration's request, and this is specified in his plan.

    This will depend on your organisational structure and the job profile. For example, what other positions are there in the laboratory ? Typically a laboratory or technical manager is responsible for day to day operations and quality control and the quality manager (or a number of designated people) performs the role of ensuring the overall QMS is functional. This involves, as example, Internal Audit management, arranging or overseeing the proficiency testing schemes and the Management review process.

  • Annual Review Templates

    Please note that ISO 27001 does not prescribe how to record the reviews of supplier security documents, so you can adopt the record that better fits your needs. Examples are a report, an e-mail, or a meeting minutes.

    Information you should consider for this record are at least: documents reviewed, by whom, when, review criteria (e.g., what you planned to look for), review results, and who approved the review. 

    For further information about backup, see:

    • Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

  • Starting the implemetnation

    1 - I have now opened the zip folder ISO 27001 & ISO 22301 and found two folders for ISO 27001:2019. Ask for explanation.

    From your question I, understand that you are referring to folders “27001_2013_and_22301_2019_EN” and “27001_2022_and_22301_EN”, included in the toolkit zip file. 

    Considering that, please note that 2019 refers to the ISO 22301 standard, not ISO 27001.

    There are two folders for document templates because each folder refers to different versions of the standard (2013 and 2022, respectively). There is no ISO 27001:2019.

    We suggest you implement the 2022 revision of ISO 27001 unless you have a specific reason to go for the old 2013 revision.

    2 - When I opened the first folder, I found documents that probably allow both standards to be processed in an integrated manner, is that correct?

    Your assumption is correct. The documents were developed considering the requirements of both standards. In each document, you will find comments explaining where the requirements of each standard are applicable and which adjustments you need to make to adjust the document according to the standard you want to implement.

    3 - I actually wanted to start one project after the other, and not both at the same time. I wanted to start with ISO 22301 separately, how is this possible please?

    To start your implementation first with ISO 22301, you should use folders 01, 02, 03, 10, 11, 12, 13, and 14, adjusting the documents in these folders according to the comments included on them to keep references only to ISO 22301.

    To start with ISO 27001, you should use all folders except folder 10.

    For further information, see:

    • What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/
    • ISO 27001 & ISO 22301: Why Is It Better To Implement Them Together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-iso-22301-better-implement-together-free-webinar-on-demand/

    • Risk Treatment and RTP

      1. Does ISO 27001 require a risk treatment plan as a one single plan or is it, applicable make risk treatment plans per risk and approvals per risk? And if it is applicable what elements per treated risks must be present (responsibility, timetable, etc.?) The question rises up, because of a risk software which allows make a risk assessment and treatment and plan treatment per risk bases, there is no means to collect all risks in a one single plan (in which has treatment descriptions).

      ISO 27001 does not prescribe how to document the risk treatment plan, so organizations can develop them as best fit their needs.

      However, our suggestion is to write the Risk Treatment Plan as a single document because trying to implement ISO 27001 on a risk-by-risk basis is going to create huge problems in the implementation.

      In your toolkit, there is a template for an activity-based Risk Treatment Plan in the folder 07 Implementation Plan.

      2. Does ISO 27001 require documented comparison procedure of the controls (determined in 6.1.3 b) with those in Annex A? The question rises up, because before mentioned software has no means to make up control comparison in composed way e.g. a control table which to use for comparison (like Advisera Risk Treatment table template has).

      ISO 27001 requires documented information about the risk treatment process, and this is usually in the form of Risk Assessment and Risk Treatment Methodology. For comparison of the controls, you can simply state in this methodology that once controls necessary are defined, these are compared against those from ISO 27001 Annex A.

      In your toolkit, there is a template for the Risk Assessment and Risk Treatment Methodology in folder 05 Risk Assessment and Risk Treatment.

      You can use as evidence the result of this comparison the Statement of Applicability.

      In your toolkit, there is a template for the Statement of Applicability in the folder 06 Applicability of Controls.

      For further information, see:

      • Statement of Applicability in ISO 27001 – What is it and why does it matter? https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

      • ISO27001 Toolkit materials

        Please note that our ISO 27001 Documentation Toolkit covers all mandatory documents and some documents that are not mandatory.

        A Human Resources Security Policy does not need to be documented according to the standard, and in our opinion, it would be an overhead to document it.

        Regarding a Data Leakage prevention policy, the following documents in the toolkit cover the control A.8.12 Data leakage prevention:

        • Information Classification Policy
        • IT Security Policy
        • Security Procedures for IT Department

        We recommend you check if these templates can fulfill your needs for a Data Leakage prevention policy. These templates can be found in folder 08 Annex A Security Controls.

      • Risk Based Approach Document 03 13485

        Basically, for all processes, you need to have a risk-based approach so that you can control them. You are right that we did not mention anything about the risk-based approach and, since we are currently finishing the second edition of the toolkit, we will add it. 

        If you are using the Key performance indicators, those are usually elements of how processes are based on the risks.  

      • Control A.18.1.2

        In general terms your assumption is correct.

        Please note that this control is related to compliance with legal requirements (e.g., laws, regulations, and contracts) related to intellectual property rights and the use of proprietary software.

        Considering that, you need to evaluate applicable legal requirements to your company to identify what they required from you for compliance. Compliance evidence may be only a copy of terms of service, but this may also require other evidence, like log reports, or reports from independent auditors.

      • Cybersecurity

        ISO standards, like ISO 27001 (information security management) and ISO 22301 (business continuity management), help organizations to identify and prioritize cybersecurity resources considering business objectives, relevant information security risks, and impacts of disruptive events over business processes and services.

        For example, if an organization's core business is providing software as a service, protection of source codes and users’ data may be a paramount concern related to information security, and availability of provided software during a disruptive event (e.g., loss of a datacenter) may be essential for business continuity.

        Based on this information cyber security controls related to the protection of source code (e.g., secure development practices) can be justified, as well as the provision of resources related to alternative sites containing proper hardware and software to ensure a quick recovery for a disruptive event.  

        For further information, see:

      • Evaluation of the calibration uncertainties

        I have to assume, based on the information provided, that sa is the standard error (uncertainty) of the intercept and sb is the standard error (uncertainty) of the slope. I do not have enough context to respond directly regarding a suitable “low enough” value for Sa/Sb and the technical nature of this question is not in the scope of the support that can be provided.  I can share some principles and best practices, however. In method development you need to determine the slope and sensitivity as well as the Limit of detection  (LOD) and Limit of Quantification (LOD). The relative uncertainty near zero is usually large. This topic of linear regression needs to cover a number of topics, including an understanding of residuals (the difference between an observed y value, and the calculated y value using the fitted line equation) and regression statistics.

        The objective is to set up a calibration with a good predictability of y (analyte concentration) based on instrument response through the regression equation.  It is not best practice to be measuring near zero.  It is advisable to start with five to seven standard concentration points, equally spaced; covering the range of interest. Include a standard blank and select the range so that the majority of test samples would fall in the centre of the calibration range because that is where the uncertainty associated with predicted concentration is the lowest. Plot and examine the residuals, do not force the intercept to zero and calculate the uncertainty (prediction interval) for test sample concentrations using the calibration equation. Depending on the purpose of the method, you need to look at the contribution of the calibration uncertainty to the overall measurement uncertainty, and determine how significant it is.

        Depending on the instrument, and purpose of the method, I suggest you reach out to your supplier for some application guidelines.
Page 49-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +