Search results

ISO 9001 audit and certification

You are mentioning our ISO 9001:2015 Premium Documentation Toolkit. With the toolkit you can speed-up the design and implementation of your quality management system. After customizing the documentation and finishing the implementation you can select one of several certification bodies operating in your country to get ISO 9001:2015 certification. Certification costs depend on the number of days needed to audit an organization (normally a function of number of employees and complexity)

The following material will provide you more information to help you:

- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Buying the documentation is not miraculous, there is still work to be done - ISO 27001 documents – Why the templates are not enough? - https://advisera.com/27001academy/blog/2012/04/24/the-documentation-myth-why-the-templates-are-not-enough/
- How should you pick an ISO 9001 certification body? - https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
- Please check this free webinar on demand - How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Steps for ISO 9001 implementation

The first step that I recommend is to perform a Gap analysis, to determine the amount of work to be done.

With this information you can develop your project plan, listing what needs to be done, by whom, until when.

After implementation, perform an internal audit and the management review. There you can decide that your organization is ready for certification audit.

You can get much more detailed information in the following links:

- Article - Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
- Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
- Article - Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
- Project Plan for ISO 9001 implementation - https://info.advisera.com/9001academy/free-download/project-plan-for-iso-9001-implementation-ms-word
- Free webinar on demand – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

ISO 9001 document name requirements

Writing the name on documents is not a specific requirement in ISO 9001. However you need to make sure you control your documents and records according to the requirements of the standard and to do so you will need to identify them somehow. Usually the steps into document and record control are the following:

1. You need to identify that kind of document, assining it a name or designation, and assigning it an appropiate version.
2. You have to determine the authority that will approve that document and evidence that approval, for example by signature.
3. You need todetermine where and how will those documents be available and whom should have access to them.

The following material will provide you more information about document control:

- Article - New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Enroll for free in this course -  ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Risk assessment internal and external criteria and factors

What are the internal and external criteria and factors that apply in the risk assessment?

Considering ISO 27005, the ISO standard for information security risk management, you have some of the following:

• Internal factors: business objectives, business processes, organizational structure, information assets
• External factors: geography, marketing trends, political and economical issues
• Risk evaluation criteria: strategic value of processes which handle business information, legal, regulatory and contractual requirements, business value of confidentiality, integrity, and availability
• Impact evaluation criteria: classification level of impacted information, affected operations (internal or of third-parties), breach of legal, regulatory or contractual requirements
• Risk acceptance criteria: business-related, legal and regulatory related, operational related, technological related, and financial related

This material will also help you regarding ISO 27001 risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

EU GDPR and Personal Data Processing

1.Who is responsible for the personal data which is processed with a third company (like a booking or a paying system)?

Booking companies and payment facilitators are acting as independent data controllers so they are responsible for all data they collect and process when providing the service to the data subjects.

2. If the Company can access the data (by e-mail, online account, etc,...) but doesn't hold those data?

If the data can be accessed it means the processing of personal data according to art 4 of the GDPR: Storing the data, is not a condition for processing.

If you want to find out more about the EU GDPR check out this free EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course/

Difference between Outsourcing and Contracting

While there are some variances, it is easiest to think of these two terms like this; outsourcing is when you get a supplier to perform one of your processes for you, such as heat treating, and this is generally done at the supplier’s site. On the other hand contractors generally work on your site and often do not affect the production processes, such as an electrician upgrading your building.

You can find out more about the ISO 45001 requirements in this helpful whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

Control implementation

Please note that control A.14.2.5 "Secure system engineering principles" is covered in the Secure Development Policy template, located on folder 08 Annex A Security Controls >> A.14 System Acquisition Development and Maintenance

These articles will provide you further explanation about secure engineering principles and software development life cycle:
- What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

These sites can also provide further information: 

- https://www.nist.gov/news-events/news/2018/01/update-nist-special-publication-800-160-systems-security-engineering

- https://www.owasp.org/index.php/Security_by_Design_Principles

Communication plan

First is important to note that ISO 22301 nor ISO 27001 do not prescribe how a communication plan must be documented, so it is up to the organization to decide if it will be a separated document or not. 

For small and medium size organizations we understand that a separated document would increased administrative effort unnecessarily, so information related to communication plan is available in the several templates, for example:
- Disaster recovery plan, located on folder 08 Annex A >> A.17 Business Continuity >> 04 Business Continuity Plan
- Activity recovery plan, located on folder 08 Annex A >> A.17 Business Continuity >> 04 Business Continuity Plan

- Information Security Policy, located on folder 04 Information Security Policy
-  Incident management, located on folder 08 Annex A >> A.16 Incident Management 

In each document information related to communication is defined according the document purpose.

Template content - information classification policy

Please note that in section 2 of the Information Classification Policy there is reference to a Inventory of Assets, so there is no need to included reference to control a.8.1.1 (this inventory of assets is the Implementation of this control).

Awareness and training for secure software development

Hi, Christin. Please note that considering your scenario, an example of filling out the risk treatment plan columns you mentioned would be:

• Description of activities: Development of specification of safety requirements
• Training and awareness programs: Course about risk assessment, system Functional Specification, controls for Software security (these are the competencies required to fill in the specification of safety requirements)
• Method for evaluation of results: number of changes on specification of safety requirements considering failures on validation and acceptance testing (i.e., the less security failures in validation testes, and the less refusal of customers on delivered systems, the better are the specifications).