Search results

ISO/TS 29001 in addition to ISO 9001

ISO/TS 29001 main advantage is about including specific requirements of the petroleum industry. ISO 9001 has general requirements, but ISO /TS 29001 includes specific requirements relevant for the industry and its risks.

QMS for medical devices

Thanks, Carlos

Difference between ISO 9001 and ISO 17025

ISO 9001 is about implementing a quality management system and is applicable to any kind of organization. Quality management systems can be certified by a certification body.

ISO 17025 is about “General laboratory competency of testing calibration requirements” and is applicable to laboratories that produce results, like composition of a sample, that can be used in a court of law. ISO 17025 main concern is competent, impartial, and consistent operation of laboratories. ISO 17025 is mainly used by calibration laboratories. Laboratories are accredited by an accreditation body.

The following material will provide you more information about ISO 17025:

- What is ISO 17025? - https://advisera.com/17025academy/what-is-iso-17025/
- Please check our ISO/IEC 17025 Blog - https://advisera.com/17025academy/blog/
- Download free ISO/IEC 17025 materials - https://advisera.com/17025academy/free-downloads/

Expanding scope

It is possible to include this new part of the scope in the surveillance audit for year 2, provided that you inform your certification body of this change in due time, and that the new part of the scope fulfills all requirements of the standard and the risks related to integrating this new scope to the current one are assessed and treated as necessary.

Data capacity and information security

 The lack in the capacity of an asset (e.g., equipment, media, service, etc.) to store, process and/or transmit data affects directly the concept of information availability. This impact on availability can occur when an asset is destroyed, has an unplanned stop, or when it is required beyond the limit it can be used. 

Capacity of an asset has no direct impact on integrity and confidentiality.

For further information, please read:
- Implementing capacity management according to ISO 27001:2013 control A.12.1.3 https://advisera.com/27001academy/blog/2016/02/22/implementing-capacity-management-according-to-iso-270012013-control-a-12-1-3/
- Can ISO 27001 help your organization in a DDoS attack? https://advisera.com/27001academy/blog/2017/12/04/can-iso-27001-help-your-organization-in-a-ddos-attack/

Evidence for Product realization

Yes, you do need to provide evidence for this section 7, but only for those sections that are applicable for your company. Therefore, for each section that is not applicable for you, you can state that in your Quality manual. For example, section 7.5.2 Cleanliness of product is probably not applicable, then 7.5.5 Particular requirements for sterile medical devices, 7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems, and 7.5.9.2 Particular requirements for implantable medical devices. For each of these sections you need to provide justification for why it is not applicable. For example, you can state „7.5.2 Cleanliness of product is not applicable since we do not produce any product“ or „7.5.5 Particular requirements for sterile medical devices is not applicable since we do not produce sterile medical devices.“

Threats to network assets

Some common threats related to network equipment like Routers, Core-Switch, and firewall are:

• Access to the network equipment by unauthorized persons
• Damages resulting from penetration testing
• Errors in maintenance
• Malfunction of equipment

This article will provide you further examples of applicable threats:
Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

SHEQ

Thank you very much. This was a confirmation for me.

Quality objectives and Internal and External Risks

1.How to submit to our dept/unit (Human Resources) the quality objectives?

Your organization defined some quality objectives and you need to deploy them to the HR department. I would start by a presentation from top management communicating to all what are the quality objectives and why are they important for all. Then, I would meet the HR manager to work with him or her around the question: how the HR team can contribute to meet these objectives. For example, a quality objective like "Reduce delivery delays by ..." may be helped through reducing absenteeism. Can HR assume a departmental objective to reduce absenteeism? If that is the case do not forget to include how much the organization saves (or not lose) by reducing delivery delays and absenteeism.

2.How to submit to our dept/unit (Human Resources) the internal & external risks that can affect the intended objectives of the dept/unit quality management system

Start with the intended objectives, I always recommend starting from there when determining risks and opportunities. What can be seen as a promoter of friction against meeting the objectives? Those are the risks.

What could undermine your intention of reducing absenteeism? You can call a team and develop a brainstorm, perhaps using a cause-effect diagram to develop a list of possible risks.

After listing those risks evaluate them.

The following material will provide you more information about quality objectives and risks:

- Article - How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/

- Article - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

- Article - How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/

- Free webinar on demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//

- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

- Book - Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Defining the implementation approach

1 - What would be the best approach for us to get certified for ISO 27001? Self-implement, consultant?

 Answer: The most common approaches to implement ISO 27001 are:

• Use your own staff to implement the ISMS
• Use a consultant to perform most of the effort to implement the ISMS
• Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.

Each one of them has its advantages and disadvantages. For more information, I suggest you the following materials:

• 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
• Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
• ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

2 - Is the initially defined scope practical in your expert opinion?

Answer: Separated scopes certified at different times is a good approach when you have limited resources and some business units, besides the head office, are more critical than others (you can certify them in the order more relevant to the business).

It is important to note that you do not need to certify other business units after the head office (if ISO 27001 certification is more urgent for business units you can start with them).

For further information regarding scope definition, see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

3 - Are your templates and services applicable to our company as it's designed for small and medium corporate?

Answer: It is true that our templates are designed for companies of up to 500 employees. Therefore, for organizations with more than 500 employees the templates will require you to add more text into some of the documents (e.g. into the Risk Assessment Methodology) to address higher complexity of the company of your size. We do have couple of larger clients who adapted the templates successfully.