Search results

ISO 45001 Certification

When you ask about the need to certify to ISO 45001 you could mean one of two things, so I will answer both questions:

First, the ISO 45001:2018 standard has the option to either certify your OHSMS with an external organization, or to self-determine and self-declare conformance to the standard by the company. This could then be confirmed by interested parties or others; this is all captured in section 0.5, Contents of this document. What this means is that you can use the ISO 45001 requirements to implement an OHSMS at your organization, and then declare that you meet the requirements without having a third-party certification body audit your organization; you could not use the term certified though with self-declaration.

Second, if you are asking if there is a requirement to implement the ISO 45001 standard and create an OHSMS at your company, then this is something that you need to verify with your customer and legal requirements. If you have a customer or legal entity demanding this, then implementation is something you will need to do. ISO itself has no legal authority to impose these requirements on an organization, so you will need to verify your own industry, customer and legal requirements.

There are good reasons to implement the OHSMS even if not required, and you can read more about these benefit in the article: 4 key benefits of ISO 45001 for your business, https://advisera.com/45001academy/blog/2015/09/30/4-key-benefits-of-iso-45001-for-your-business/

Questions about certification

1. How many organizations implemented ISO 27001 and got certificated?

There is no way to rise information about how many organizations implemented ISO 27001 since it is not mandatory for organizations to publicize that they adopted practices of this standard.

Regarding information about ISO 27001 certified organizations, unfortunately, there is no central list of certified organizations (you must consult each certification body to track which companies are certified by them).

However, the ISO site provides an ISO survey where you can find general information about certifications, like total quantity, quantity per country, quantity industry, etc. It does not nominate organizations.

You can find this survey at this link: https://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objAction=browse&viewType=1

According to this survey, in 2018 we had a total of 31910 ISO 27001 certified organizations around the world.

2. How long to get ISO 27001 certification?

The duration of the implementation project varies according to many variables (e.g., available resources, experience with standard's requirements, top management involvement, etc.), but for small and medium-size organizations the implementation generally varies from 3 to 12 months.

To get an insight into the time duration for your organization, please access our ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/

This article will provide you a further explanation about the implementation process:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

3. How much cost for ISO 27001 certification?

There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information, it's not possible to precise a value. What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated/implemented
- Employee's effort and time
- The certification process

Regarding ISMS maintenance costs, the above-mentioned costs also have to be considered, but at different levels, and you have to add the surveillance audit costs for certification maintenance.

These articles can provide you more information:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/

Business continuity and ISO 27001

ISO 27001 requirements regarding business continuity are covered by section A.17 of its Annex A (Information security aspects of business continuity management), and they are mostly related to IT disaster recovery.

ISO 27001, like other management standards, does not prescribe how to implement solutions, only what must be implemented, and this approach makes it easier to integrate these controls with practices of other standards, like BIR 31111 & ISO 22301.

These articles will provide you a further explanation about business continuity and ISO 27001:
- How can ISO 27001 and ISO 22301 help with critical infrastructure protection? https://advisera.com/27001academy/blog/2017/09/25/how-can-iso-27001-and-iso-22301-help-with-critical-infrastructure-protection/
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/

Template content

We have received an additional question: 

Let me rephrase the question. We created/developed our BCP. Now what?

For parts of your BCP that requires the availability of previous infrastructure, equipment or services to support the plan (e.g. you may need a secondary site with servers and software already deployed, with available communication link), you should treat this arrangements as a project, and for that, you can use as a model for guidance the Project Plan located on this link: https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation

Additionally,  after making all the arrangements that are the basis for executing the BCP, you need to do exercising and testing, and for that, I suggest you take a look at the demo of our Exercising and Testing Report at this link: https://advisera.com/27001academy/documentation/form-exercising-and-testing-report/

For further information,  please read:
- How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/

ISO 9001 and inspection

ISO 9001:2015 does not require 100% inspection. Unless that is an explicit or contracted customer requirement it is not usual to perform 100% inspection.

First, analyze your current performance: What is the level of defects? Can you identify trends? Are there any defect-types more common than others? Are there any day of the week, line of production, type of product, shift, … more prone to defects? Does your organization follow statistical process control to monitor process performance?

If your organization cannot accept present level of defects it must engage in one or more quality improvement project(s).

Some organizations use sampling plans based on an ISO standard (ISO 2859-1) to conclude with a certain level of certainty the quality of a lot based on a sample. So, instead of 100% inspection, your organization will design a quality control and/or a process control plan(s) in order to monitor performance and act when needed.

Some organizations with very low defects level instead of inspection do what they call a product audit. For example, they go to the warehouse, pick a package ready to go and they start with the box, the labels, the way the product was put in the box, then analyze the product. Of course they inspect the product but if they find any non-conformity their main concern is with what is not working in their process that allows this to happen.

The following material will provide you more information about inspection:

- Article - Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/- Article - How to establish QMS Statistical Process Control according to IATF 16949 - https://advisera.com/16949academy/blog/2017/08/30/how-to-establish-qms-statistical-process-control-according-to-iatf-16949/- Article - How to use quality control tools to improve your QMS - https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/- Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

Questions about document management

1. As far as I understand the offer, the package includes unlimited questions via email, right?

 As part of our support service, our clients indeed have an unlimited number of questions to send us via email, to clarify their doubts about ISMS implementation and operation.

2. I am looking for areas regarding data retention and requirements from ISO 27001 standards. Does ISO 27001 require a definition of "data retention"? I haven't found any control about it nor template in the toolkit.

ISO 27001 has some clauses on sections 4 to 10 that requires retention of documents and records (e.g. ISMS scope on clause 4.3, ISMS Policy on clause 5.2, results of risk assessment on clause 6.1.2, etc.), and a specific requirement for retention of documents and records on clause 7.5.3 f.

The documents and records retention is handled in section "Managing records kept on the basis of this document" of each template, where items like time retention and form of disposal are defined.

For further information, see: Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

3. Does ISO 27001 require to keep "Records of erasure"?

Keeping the evidence that data was erased is mandatory for ISO 27001 only if:
- there are unacceptable risks which treatment demands such evidence 
- there are contracts, laws or regulations you have to follow which demands such evidence 
- there is a top management decision demanding such evidence

If none of the above-mentioned situations occurs, then there is no need to keep such evidence.

For further information, please read:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

4. Does "Records of erasure" are applicable in case of offboarding or also as part of retention of data? Offboarding employee = Termination of Contract with Employee. That means that as part of the offboarding checklist the access is removed and his laptop is "erased" for reuse by another person. With my understanding, that provides enough evidence that device/laptop/asset has been erased and satisfy A.11.2. Is it the right understanding?

I'm assuming that by A.11.2 you are referring to control A.11.2.7 (Secure disposal or reuse of equipment).

Considering that, please note that control A.11.2.7 does not require "Records of erasure" to be kept, but if control A.8.3.2 is applicable (see answer 3), and information on the device is classified as sensible, the use of an offboarding checklist, identifying the erased device and who performed the task, is acceptable as audit trail and evidence that control A.8.3.2  is implemented.

Life cycle perspective

First, remember that ISO 14001 uses the word “considering”. That means that you should evaluate if in your organization’s case it is relevant to try to control or influence environmental aspects beyond the organization’s borders.

So, when determining environmental aspects think about are there relevant environmental aspects related with:

Suppliers or transport to your facilities?

Development and tests of new products and/or services?

Manufacturing or provision?

Storing and transport to customers?

Installation and or servicing?

Use by users?

Final disposal by owners?

The following material will provide you more information about aspects and impacts and life-cycle:

- Article – Lifecycle perspective in ISO 14001:2015 – What does it mean? - https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/- Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/- Article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/- Free webinar on demand - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Career development of information security

Although ISO 27001 and CISM main focus is on information security management, CISM goes deeper into the strategic relationships between information security and the information systems and business objectives.

Considering that and your stated profile, you should consider CISM.

On the other hand, if in the future you want to become a consultant or auditor, then ISO 27001 certifications would be a better choice. 
 
If you want to consider an ISO 27001 career you can follow:
- ISO 27001 Lead Implementer – this certification recognizes people who have competency on the ISO 27001 implementation process.
- ISO 27001 Lead Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and want to become certification auditors (and with this provides more confidence to an organization for being certified).

These articles will provide you a further explanation about ISO 27001 personnel certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

This material will also help you regarding ISO 27001 personnel certifications:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
For courses related to these certifications, please see:
- ISO 27001:2013 LEAD AUDITOR COURSE https://advisera.com/training/iso-27001-lead-auditor-course/
- ISO 27001:2013 LEAD IMPLEMENTER COURSE https://advisera.com/training/iso-27001-lead-implementer-course/

BCM policy gap analysis

If you have referenced both GPG 2018 an ISO 22301 in your BCM policy, then you have to perform the gap analysis considering both documents. Additionally, you also have to consider the legal requirements (e.g., laws, regulations, contracts, etc.) your organization must fulfill.

Regarding content, GPG 2018 and ISO 22301 are quite similar, but ISO 22301 is a worldwide recognized standard, while GPG is a Good Practice Guideline, so using ISO 22301 would be a better option to provide more assurance that your policy is aligned with the worldwide approach for business continuity management.

Validation of Computer Software and GAMP 5 Guide

Although the Procedure for Documentation and Validation of Computer Software is written in general, it still covers all the necessary elements of CSV.

Considering GAMP5 following needs to be understood. GAMP 5 describes a set of principles and procedures that help ensure that pharmaceutical Software has required quality.

GAMP talks about “the How” and the ISO 13485 talks “the What” during the Validation of computer-based software for Pharma companies. GAMP is a methodology and Iso 13485 is a regulation. So to answer directly to your question – our procedure does not take all requirements from GAMP 5 into consideration.