Search results

Templates content

It is not clear which policy you are talking about, but the information you mention can be found on the following:
- Document retention: Each policy and procedure has a section called "Managing records kept on the basis of this document" where you define topics for document retention, such as retention time and disposal method
- Individual user agreement: this information can be found in these templates: Confidentiality statement (https://advisera.com/27001academy/documentation/confidentiality-statement/), and Security Clauses for Partners and Suppliers (https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/) which can also be used for employment contracts
- Reporting InfoSec Weaknesses and Events: this information can be found in template Incident management procedure: https://advisera.com/27001academy/documentation/incident-management-procedure/
- Responding to InfoSec Reports: I'm assuming that by this one you are referring to response to information security incidents. In this case this information can also be found in template Incident management procedure
- Rules for use of e-mail can be found on template IT security policy: https://advisera.com/27001academy/documentation/it-security-policy/

Become ISO 14001 auditor

I will consider three levels: 

• Internal auditor;
• External auditor;
• Lead auditor.
   

Each organization has the authority to determine the competency requirements for its internal auditors. As a minimum an internal auditor should have knowledge of ISO 14001 and knowledge of good auditing practices. Someone wanting to become an internal auditor can start with this course: ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/

After that course the new internal auditor can start performing internal audits. Starting in a known environment and with known auditees helps a lot in the first audits. Smaller audits can be done, frequent audits can be done, several techniques can be tested, and helps build trust in own capabilities as time and stress manager.

After several internal audits you can start trying a new environment, performing internal audits as an external auditor. That will test your ability to audit with different people, with different operations and with different cultures. 

Whenever you think you are prepared to become a lead auditor you can start a course like this one: ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/

After that course you can contact several certification bodies and give them your CV stressing your experience and qualifications.

Complement your training with reading whatever you can find about preparing, performing and reporting an audit. I find it useful to discover new tools to use during an audit and learn what other professionals think. You can start with these articles and book:

• Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/ 
• Creating an ISO 14001 internal audit plan - https://advisera.com/14001academy/blog/2017/01/16/creating-an-iso-14001-internal-audit-plan/ 
• ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

Applicability of training for suppliers' employees

You can exclude control A.7.2.2 and texts which refer to it, and still be compliant with ISO 27001 requirements, if:

• risk assessment results doesn't require its implementation 
• there aren't legal requirements, or top management decision requiring application of training of suppliers' employees

Management of supplier relationships

Regarding suppliers, ISO 27001 requires only the handling of related unacceptable information security risks, which is only a small part of the supplier relationship management process. Including other documents for supplier relationship management would only make the ISMS management unnecessary complex, so we decided not including then in the toolkit.

If your organization needs such additional documents for management of suppliers relationships I suggest you to take a look at these templates, to see if they can fulfill your needs:
- Supplier Management Process https://advisera.com/20000academy/documentation/supplier-management-process/
- Underpinning Contract https://advisera.com/20000academy/documentation/underpinning-contract/
- Supplier Contract https://advisera.com/20000academy/documentation/supplier-contract/
- Supplier Performance Report https://advisera.com/20000academy/documentation/supplier-performance-report/
- Supplier Agreement Portfolio https://advisera.com/20000academy/documentation/supplier-agreement-portfolio/

This article will provide you further explanation about supplier management:
- ITIL Supplier Management and Service Level Management – How to put the two in balance https://advisera.com/20000academy/blog/2015/11/10/itil-supplier-management-and-service-level-management-how-to-put-the-two-in-balance/

Mandatory documents

No, you do not need those documents. It is just necessary to state in the Quality manual which requirements are not applicable for you and why. For example, you will state in your Quality manual that requirement 7.5.5 Particular requirements for sterile medical device is not applicable for you because you do not produce sterile medical devices.

ISO 13485 certification

It is not necessary for all employees to be educated for ISO 13485. There is no such requirement. However, there is a requirement 6.2 Human resources that all personnel performing work affecting product quality must have competencies or must be trained to achieve those competencies. For example, the person who does the programming alone must know the basics of ISO 13485 that are applicable. While, for example, a marketing person does not need to know the requirements of ISO 13485. QA person does need to be educated in ISO 13485:2016. 

Besides ISO 13485:2016, QA person must have knowledge of any other standard that is specifically for certain medical devices. For example, there is a medical software standard IEC 62304:2006 Medical device software — Software life cycle processes https://www.iso.org/standard/38421.html, so QA person must know which requirement from that standard is applicable or not. Also, any medical device that want to be CE marked must be in compliance with the Medical device regulation https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02017R0745-20170505, regardless of the medical device classification.  

HR policy for personnel security

In terms of Human Resources a policy with such details as you stated is not mandatory by ISO 27001, and to keep the number of documents in the toolkit as small as possible we included in the toolkit only the mandatory documents and the most commonly used.

Considering that your organization needs this document for other reasons (normally an HR Security Policy is not recommendable for smaller companies regarding ISO 27001), you can schedule a meeting with one of our experts to help you develop this document (online live consultation is part of your toolkit). You can schedule a meeting at this link: https://advisera.com/27001academy/consultation/

These articles will provide you information about some topics you raised:
- What to consider in case of termination or change of employment according to ISO 27001 https://advisera.com/27001academy/blog/2018/09/03/what-to-consider-in-case-of-termination-or-change-of-employment-according-to-iso-27001/
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//

Internal audit

For ISO Management System standards the internal audit can be performed either by own organization's employees or by an external company on the organization's behalf.

Please note that this internal audit performed by an external organisation should not be mixed with certification audit, which is performed by a certification body.. 

This article will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

Penetration testing frequency

Neither ISO 27001 nor NIST controls define frequency for penetration testing, but a good start to define pen testing periodicity would be these criteria:
- results of previous penetration tests
- importance and related risks to the processes/systems that will be part of the penetration test's scope

This article will provide you further explanation about penetration tests:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/