Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Withdrawing documents
Answer
There is not a single answer. Each organization should develop its own approach. One can consider that withdrawing a document is another way of changing its version. Any document introduced and any following changes must be approved by an authorized function. Any document change should be communicated to users, formally or informally. So, for example, I would like to see an evidence that the withdrawing was approved by an authorized function, and I would like to see evidences of that communication, if informally, I would like to interview different previous users to check if they were informed. Different organizations will use different levels of formality.
The following material will provide you more information about document control:
- ISO 9001 – How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
- New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
ISO 27001 implementation project
1. Would it be a good idea to start with a narrow scope and then extend it with time? (The top management is only interested in certification)
Answer: Depending upon the size of the organization (up to 50 employees) it may be better to include all the organization in the scope, because the effort to separate the elements of the scope from other elements of the organization may be not worthy. In other cases you can start with a small scope and extend it over time, if this is interesting for the top management.
These articles can provide further information:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
2. How would i split the tasks among my team? For example should i ask one person to perform the risk assessment a nd then another person to perform the risk treatment? Or should these tasks be shared among the team?
Answer: This will also depend on the size of the organization's scope, and the size of the implementation team.
A common approach is to establish a project team which will divide the project among themselves, but you have to note that there will be some tasks that still for people outside of this team - e.g. performing a risk assessment for particular departments, reviewing specific documents, etc.
This article will provide you further explanation about defining responsibilities on project implementation:
- RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/ -
ISO 45001 integration with ISO 9001
(1) Can I incorporate the ISO 45001 into our ISO9001:2015 QM. I am not sure how to do so. Procedures I can handle using a separate volume.
Answer: You are correct, OHSAS 18001 is being replaced by ISO 45001:2018, and companies who have the previous standard in place need to transition before 2021 to keep a valid certification for their OHSMS. As for incorporating ISO 45001 into an ISO 9001:2015 management system, this is certainly possible and often preferred. Both standards now follow the same document structure so it is easy to see what is common, such as internal audit, control of documented information and management review. In this way you can even use the same processes and procedures for these common elements and ens ure that you cover both aspects of the processes.
You may find it helpful to read the free whitepaper: How to integrate ISO 45001 with ISO 9001 and ISO 14001, https://advisera.com/45001academy/blog/2018/09/12/how-to-integrate-iso-45001-with-iso-9001-and-iso-14001/
(2) - how would certification bodies audit us - in one go or separate occasions?
Answer: When a company has more than one certification it is possible to have one certification body perform the certification audits together, at the same time. There will be additional auditing time allotted, but like the internal audits it is possible to audit some elements together and cover both standards. However, this would only be the case if you have the same certification body for both standards, and if you chose to have different certification bodies for each standard, they may not be able to do a joint audit.
To better understand the requirements of ISO 45001:2018, see our whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001 -
Personal data breach and DPO
Answer:
You can find readily available templates for a Data Breach Policy, as well as notification templates to be used when subject to a personal data breach, in this EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/).
The same toolkit also contains a Task Description that can be used when appointing a DPO. -
ISO 27017 and ISO 27018 certification
Answer: First it is important to note that ISO 27017 and ISO 27018 are not certifiable standards (some certification bodies "certify" against ISO 27017 and ISO 27018, but only during an ISO 27001 certification process, because ISO 27001 is the only certifiable standard in the ISO 27000 series).
Considering that, the ISO 27001 certification is valid for three years.
These articles can provide further information:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
2 . Are there surveillance audits every year as with ISO 27001?
Answer: If your certification body includes in the certification an statement that you are also compliant with ISO 27017 and ISO 27018, the surveillance audits will be the same as for a normal ISO 27001 certification, normally one each year.
This article will provide you further explanation about surveillance audit:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
Residual risks
Question 1) Is this vision of a "second" residual risk correct?
Answer: I think there is a misunderstanding here. When you apply a policy over an "inherent risk" you are already treating a risk (first you would have to evaluate the inherent risk against the acceptance criteria - the risk appetite). If this first residual risk after applying this control is still over risk appetite you have two options: accept the residual risk as it is (because applying more controls will not be worthy), or apply additional controls to further decrease the risk (then you would have the "second", "third" residual risk, and so on).
Considering this, before applying any control you have to evaluate the inherent risk first.
This article can provide you further information:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Question 2: Can I use the same controls assessment policy for estimating "second" residual risk?
Answer: The methodology you use to assess the inherent risk can also be used to assess the risk after the control application. -
Internal auditors and competence
We've received additional questions:
> Are the surveillance audits a new requirement of the ISO 9001:2015 standard?
> What happens if we don’t do the surveillance audits and just do the renewal on year 3?
Answer
Surveillance audits are not a requirement of ISO 9001:2015. Surveillance audits are a requirement from your contract with the certification body. Certification is not an ISO 9001:2015 requirement. Certification is a management decision. Many organizations use ISO 9001 as help to implement a management system without performing the extra step of certification.
ISO 9001 only mentions internal audits.
Certification bodies cannot propose a contract that does not include surveillance audits because that would go against their accreditation procedures. -
Continual improvement
Answer:
There are not mandatory documents required by clause 10.3- Continual Improvement. However, your organization needs to demonstate continual improvement by reviewing the documentation and processes as the quality management system matures or when there is a new process implemented. The organization can use the data output from its processes, for example results from internal audits, management reviews, etc. to support that continual improvement is happening.
You can also see these materials to help you with the requirement of continual improvement in ISO 9001:2015:
- White paper - Clause by clause explanation of ISO 9001:2015: https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015
- Book – Disc over ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Conditions to pursue ISO 27001 certification
Answer: If you do not have evidences to show compliance with all requirements from sections 4 to 10, and that controls from Annex A stated as applicable in the Statement of Applicability (SoA) are implemented and working it makes no sense to go for a certification audit, since the certification auditor will not have enough evidences to verify if the ISMS is implemented and operational.
For further information, see:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
2. How long should I be operational prior conducting the audit? 6 mos minimum.
Answer: A good reference you can use to define the time you need a process or control to be operating to have enough data to be audited is to ensure it has already completed at least three cycles of operation. For example, if a full backup process is performed once a week, then you should wait at least three weeks to audit this process.
But it is important to note that certification bodies have their own criteria about the duration of the ISMS operation before the certification, so you must contact then previously to align this situation. -
Paper-based or electronic records?
Answer:
The best practice is the one that is best for you. The purpose of the records is that they confirm that some work has been done. How these records will be organized depends solely on your business and core process:
a) what kind of jobs do you have (whether it's manual work in a workshop where there is no computer or tablet, or it's all automated and directly involving a computer/server);
b) are electronic forms always available to all employees;
c) whether the records are easily retrieved in case they need to prove compliance;
d) whether the records are protected from manipulation (subsequent data modification) or loss (whether there is a corresponding back-up).
In any case, it is recommended not to duplicate records where it is not needed (eg legal obligation).
For more about document management system, ple ase read article:
Common mistakes with ISO 13485:2016 documentation control and how to avoid them
https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/