Search results

Template content

We have received an additional question: 

Let me rephrase the question. We created/developed our BCP. Now what?

For parts of your BCP that requires the availability of previous infrastructure, equipment or services to support the plan (e.g. you may need a secondary site with servers and software already deployed, with available communication link), you should treat this arrangements as a project, and for that, you can use as a model for guidance the Project Plan located on this link: https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation

Additionally,  after making all the arrangements that are the basis for executing the BCP, you need to do exercising and testing, and for that, I suggest you take a look at the demo of our Exercising and Testing Report at this link: https://advisera.com/27001academy/documentation/form-exercising-and-testing-report/

For further information,  please read:
- How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/

ISO 9001 and inspection

ISO 9001:2015 does not require 100% inspection. Unless that is an explicit or contracted customer requirement it is not usual to perform 100% inspection.

First, analyze your current performance: What is the level of defects? Can you identify trends? Are there any defect-types more common than others? Are there any day of the week, line of production, type of product, shift, … more prone to defects? Does your organization follow statistical process control to monitor process performance?

If your organization cannot accept present level of defects it must engage in one or more quality improvement project(s).

Some organizations use sampling plans based on an ISO standard (ISO 2859-1) to conclude with a certain level of certainty the quality of a lot based on a sample. So, instead of 100% inspection, your organization will design a quality control and/or a process control plan(s) in order to monitor performance and act when needed.

Some organizations with very low defects level instead of inspection do what they call a product audit. For example, they go to the warehouse, pick a package ready to go and they start with the box, the labels, the way the product was put in the box, then analyze the product. Of course they inspect the product but if they find any non-conformity their main concern is with what is not working in their process that allows this to happen.

The following material will provide you more information about inspection:

- Article - Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/- Article - How to establish QMS Statistical Process Control according to IATF 16949 - https://advisera.com/16949academy/blog/2017/08/30/how-to-establish-qms-statistical-process-control-according-to-iatf-16949/- Article - How to use quality control tools to improve your QMS - https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/- Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

Questions about document management

1. As far as I understand the offer, the package includes unlimited questions via email, right?

 As part of our support service, our clients indeed have an unlimited number of questions to send us via email, to clarify their doubts about ISMS implementation and operation.

2. I am looking for areas regarding data retention and requirements from ISO 27001 standards. Does ISO 27001 require a definition of "data retention"? I haven't found any control about it nor template in the toolkit.

ISO 27001 has some clauses on sections 4 to 10 that requires retention of documents and records (e.g. ISMS scope on clause 4.3, ISMS Policy on clause 5.2, results of risk assessment on clause 6.1.2, etc.), and a specific requirement for retention of documents and records on clause 7.5.3 f.

The documents and records retention is handled in section "Managing records kept on the basis of this document" of each template, where items like time retention and form of disposal are defined.

For further information, see: Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

3. Does ISO 27001 require to keep "Records of erasure"?

Keeping the evidence that data was erased is mandatory for ISO 27001 only if:
- there are unacceptable risks which treatment demands such evidence 
- there are contracts, laws or regulations you have to follow which demands such evidence 
- there is a top management decision demanding such evidence

If none of the above-mentioned situations occurs, then there is no need to keep such evidence.

For further information, please read:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

4. Does "Records of erasure" are applicable in case of offboarding or also as part of retention of data? Offboarding employee = Termination of Contract with Employee. That means that as part of the offboarding checklist the access is removed and his laptop is "erased" for reuse by another person. With my understanding, that provides enough evidence that device/laptop/asset has been erased and satisfy A.11.2. Is it the right understanding?

I'm assuming that by A.11.2 you are referring to control A.11.2.7 (Secure disposal or reuse of equipment).

Considering that, please note that control A.11.2.7 does not require "Records of erasure" to be kept, but if control A.8.3.2 is applicable (see answer 3), and information on the device is classified as sensible, the use of an offboarding checklist, identifying the erased device and who performed the task, is acceptable as audit trail and evidence that control A.8.3.2  is implemented.

Life cycle perspective

First, remember that ISO 14001 uses the word “considering”. That means that you should evaluate if in your organization’s case it is relevant to try to control or influence environmental aspects beyond the organization’s borders.

So, when determining environmental aspects think about are there relevant environmental aspects related with:

Suppliers or transport to your facilities?

Development and tests of new products and/or services?

Manufacturing or provision?

Storing and transport to customers?

Installation and or servicing?

Use by users?

Final disposal by owners?

The following material will provide you more information about aspects and impacts and life-cycle:

- Article – Lifecycle perspective in ISO 14001:2015 – What does it mean? - https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/- Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/- Article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/- Free webinar on demand - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Career development of information security

Although ISO 27001 and CISM main focus is on information security management, CISM goes deeper into the strategic relationships between information security and the information systems and business objectives.

Considering that and your stated profile, you should consider CISM.

On the other hand, if in the future you want to become a consultant or auditor, then ISO 27001 certifications would be a better choice. 
 
If you want to consider an ISO 27001 career you can follow:
- ISO 27001 Lead Implementer – this certification recognizes people who have competency on the ISO 27001 implementation process.
- ISO 27001 Lead Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and want to become certification auditors (and with this provides more confidence to an organization for being certified).

These articles will provide you a further explanation about ISO 27001 personnel certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

This material will also help you regarding ISO 27001 personnel certifications:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
For courses related to these certifications, please see:
- ISO 27001:2013 LEAD AUDITOR COURSE https://advisera.com/training/iso-27001-lead-auditor-course/
- ISO 27001:2013 LEAD IMPLEMENTER COURSE https://advisera.com/training/iso-27001-lead-implementer-course/

BCM policy gap analysis

If you have referenced both GPG 2018 an ISO 22301 in your BCM policy, then you have to perform the gap analysis considering both documents. Additionally, you also have to consider the legal requirements (e.g., laws, regulations, contracts, etc.) your organization must fulfill.

Regarding content, GPG 2018 and ISO 22301 are quite similar, but ISO 22301 is a worldwide recognized standard, while GPG is a Good Practice Guideline, so using ISO 22301 would be a better option to provide more assurance that your policy is aligned with the worldwide approach for business continuity management.

Validation of Computer Software and GAMP 5 Guide

Although the Procedure for Documentation and Validation of Computer Software is written in general, it still covers all the necessary elements of CSV.

Considering GAMP5 following needs to be understood. GAMP 5 describes a set of principles and procedures that help ensure that pharmaceutical Software has required quality.

GAMP talks about “the How” and the ISO 13485 talks “the What” during the Validation of computer-based software for Pharma companies. GAMP is a methodology and Iso 13485 is a regulation. So to answer directly to your question – our procedure does not take all requirements from GAMP 5 into consideration.

IATF 16949 Certificate

If the customer requirement is IATF 16949 than suggestion is to go straight to IATF 16949 certification.

There is no need to apply ISO 9001 first because IATF 16949 contains all of ISO 9001 requirements and it is more advanced.

First, you should become familiar with the standard itself.  

For more information in the IATF 16949 please read the following articles:

What is IATF 16949: https://advisera.com/16949academy/what-is-iatf-16949/

How to structure IATF 16949 documentation: https://advisera.com/16949academy/knowledgebase/how-to-structure-iatf-16949-2016-documentation/   

What are the five core tools of IATF 16949: https://advisera.com/16949academy/blog/2017/08/23/what-are-the-five-core-tools-of-iatf-16949/

List of mandatory documents: https://advisera.com/16949academy/knowledgebase/list-of-mandatory-documents-required-by-iatf-16949-2016/

Creation of process maps

Determine your organization’s main interested parties. Gather a diverse team that together know how your organization works, give them sticky notes and start to describe, with simple verbs and a noun, what do your organization do to serve and satisfy those interested parties. Then, organize those activities with something in common into relevant sets, the processes.

The following material will provide you more information about process determination and characterization:

- ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- Free webinar - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (Please check the table of contents and the list of figures)

Procedimiento para diseño y desarrollo

El procedimiento de diseño y desarrollo debe ser diferente al procedimiento de producción y prestación de servicios. Esto se debe a que son procesos diferentes y además presentan requisitos distintos. En el caso del diseño y desarrollo debe cumplir con los requisitos de la cláusula 8.3, mientras que en el caso de producción y prestación de servicios se trataría de la cláusula 8.5. No obstante debe tener en cuenta que estos procedimientos son recomendables pero no son obligatorios, sino que es la propia organización la que decide si desarrollar los procedimientos o no. 

Estos materiales pueden ayudarle a entender la diferencia entre ambos procedimientos:

- Artículo - ISO 9001 design process explained: https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/

- Artículo - Managing production and service provision using ISO 9001: https://advisera.com/9001academy/blog/2017/11/21/managing-production-and-service-provision-using-iso-9001/

- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/