Search results

Design & Development

You may have all or most “Design and development” elements documented in your ISO 17025 QMS already, however you need to do a gap assessment (what you need versus what is in place) as there are specific requirements for ISO 9001:2015. Why I say “may” is it depends on what you have in place. Just because a laboratory is accredited to ISO 17025 does not automatically mean all the elements of ISO 9001 are there. The extent of implemented process, documentation and records varies from laboratory to laboratory.

You need to look at the ISO 9001:2015 requirements as per the standard and or a checklist, including the mandatory documents (procedures and records). Confirm is the requirements are implemented, in which procedures the processes are documented and if the records you have include all the information required. If fully covered in your system, then you know clearly where they are. If not, either modify your ISO 17025 documents to add elements required by ISO 9001, or create additional documents.

For more information, look at the resources available at the Advisera ISO 9001 Academy at https://advisera.com/9001academy/ Have a look at the Checklist of Mandatory Documentation Required by ISO 9001:2015 at https://info.advisera.com/9001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-90012015

ISO 27001 Certification

The standard does not require a particular document that would mark an end of ISO 27001 implementation.

In the situation where you were not involved in the implementation, you could perform the internal audit (as defined in clause 9.2), and the results of this internal audit could be used to assess the level of compliance and readiness for the certification process. You can also show to your client the Statement of Applicability that displays which controls are already implemented - this is a good overview of how far the implementation has gone.

For further information, see:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

• ISO 27001:2013 (Information Security Policy / IT Security Policy)

  Although it is possible to insert controls from the IT Security Policy into the Information Security, we do not recommend this approach. This is so because both policies have different purposes.   

  The Information security policy is a high-level policy that defines rules for the whole organization considering information security, while the IT Security Policy is an operational policy aimed at the security of the information regarding Information Technology. 

  For further information, see:

  • One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/

  • Using ISMS results to prove SOX-ITGC controls

    IT General Controls (ITGC) are controls that are common to IT processes, providing stable and effective operation of application controls. They cover fields like creation/acquisition of systems, SDLC Process, access control, backup, change control, etc. 

    SOX is a United States federal law, that sets requirements for improving the accuracy and reliability of financial disclosures of organizations trading on U.S. territory.

    Considering that, an ISMS compliant with ISO 27001 can be one way to fulfill the requirements of SOX-ITGC.

    However, being compliant with ISO 27001 would not enable you full compliance with SOX-ITGC, this could only be a part of your compliance effort.

    For more information, please see:

    • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    • How can ISO 27001 help you comply with SOX section 404 https://advisera.com/27001academy/blog/2017/11/21/how-can-iso-27001-help-you-comply-with-sox-section-404/

    • Main advantages of implementing the ISO 14001 standard

      I don’t have experience in the mining industry, but I can point to some articles that can help you:

      • Why mining companies should obtain ISO 14001 certification - https://advisera.com/14001academy/blog/2018/04/17/why-mining-companies-should-obtain-iso-14001-certification/
      • 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/knowledgebase/6-key-benefits-of-iso-14001/
      • How to Use Good Environmental Objectives - https://advisera.com/14001academy/knowledgebase/how-to-use-good-environmental-objectives/
      • Examples of ISO 14001 objectives based on the different company sizes - https://advisera.com/14001academy/blog/2019/10/22/iso-14001-objectives-examples-for-different-company-sizes/ 

      The advantages of ISO 14001 for a company are based on the context, current performance, and interested parties' expectations.

    • Combine roles inside an (ITSM) organization

      Yes, you can combine roles inside your (ITSM) organization. This is not unusual, particularly for smaller organization.

      Here are more details:

      • What ITIL roles can be combined in one person? https://advisera.com/20000academy/knowledgebase/itil-roles-can-combined-one-person/
      • Defining roles and responsibilities for ISO 20000-based IT Service Management https://advisera.com/20000academy/blog/2017/10/18/defining-roles-and-responsibilities-for-iso-20000-based-it-service-management/

      • ISO27001 13.1.1 + 13.1.2

        If a company is cloud-based, and it does not have its own network - in such a case a company should mark controls A.13.1.1 and A.13.1.2 as not applicable in the Statement of Applicability because there would be no risks nor third-party requirements that would require such controls to be implemented.

      • CE Mark

        For the European market, all medical devices must be in compliance with Medical device regulation MDR 2017/745.  In this document, all relevant information is what needs to be prepared to get the CE mark.

        You can find the MDR in full text on the following link: https://advisera.com/13485academy/mdr/

        Also, you can find a lot of supporting reading material in our ISO 13485Academy on the following link: https://advisera.com/13485academy/free-downloads/

      • 7.4 Physical security monitoring

        Including physical security monitoring inside the Access Control Policy is an acceptable option to document this control, in case you consider this documentation relevant to your organization.

        An alternative would be a document called Procedures for Working in Secure Areas.

        To see how this document can include physical security monitoring, please access this demo: https://advisera.com/27001academy/documentation/procedures-for-working-in-secure-areas/