Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Mandatory documents
The question is : in a small digital agency (up to 20 employees, including management), which documentation and policies / procedures are required and which ones are an overkill for such a small organization like my company?
Answer:
First it is important to note that some documents and records are mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10), and these are:
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
Another situation is that some documents are required to fulfill controls that are mandatory if at least one of these situations happen:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
- There is a top management decision to implement the control, by considering it as good practice.
If none of the above conditions happen, there is no need to implement a document related to that control. Examples of such documents are:
- Inventory of assets (to implement control A.8.1.1)
- Acceptable use of assets (to implement control A.8.1.3)
Considering that, besides the documents to fulfill clauses from the main sections, without a detailed evaluation of an organization, it is not possible to define how many documents an organization would have, and which ones would be an overkill.
These articles will provide you further explanation about ISO 27001 documents and selection of controls:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ -
Categorization of assets
Examples: Would you say contracts are a primary asset or a supporting asset. How about job descriptions, NDA, SLA, DPA, Sales offers. Is there a good technique on how to categorize properly? In the risk assessment table template from Advisera, only suggested assets are listed.
Answer:
ISO 27001 does not prescribe asset categorization, so you do not need to implement further categorization than that is already provided on the suggested list of assets on the risk assessment table template (add such categorization will only unnecessarily complicate the process.).
Contract, job descriptions, NDA, SLA, and DPA are documentation, while sales offers is information (unless this refers to the name of a document)
This article will provide you further expl anation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001https://advisera.com/27001academy/pt-br/blog/2016/10/25/onde-a-seguranca-da-informacao-se-encaixa-em-uma-organizacao/ -
ISO 9001 in Construction companies
Answer:
I worked with more than a dozen construction companies in implementing and certifying a quality management system according to ISO 9001.
ISO 9001 is very helpful for organizations that work with projects and organizations that have no repetitive product or service year after year.
The following material will provide you with the information about ISO 9001 and construction industry:
- ISO 9001 – Would construction companies benefit from ISO 9001? -https://advisera.com/9001academy/blog/2016/06/07/would-construction-companies-benefit-from-iso-9001/
- white paper - Case study for ISO 9001:2015 transition in a construction company -https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf
ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/s -course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Management review in ISO 9001:2015
Answer:
You can decide how to organize your management review, either through routinely scheduled meetings or through a more continuous review process.
The minimun required inputs ISO9001 that top management needs to review are the following:
- Results of Audits.
- Customer Feedback
- Process Performance and product conformity
- Status of Preventive & Corrective Actions.
- Follow-up Actions from previous Management Reviews.
- Changes that could affect the Quality Management System.
- Recommendations for Improvement
These materials can help you to learn more about management review:
- Article - How to make management review more useful in your QMS: https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Quality Policy and Quality Objectives
Answer:
When creating a quality policy you need to consider the following:
- is appropriate to the purpose and context of the organization
- supports the strategic direction of the organization
- provides a framework for the quality objectives of the organization
- includes a commitment for the fullfilment of applicable requirements (customer requirements, regulatory requirements and ISO requirements)
- contains a commitment for continual improvement
For more information about the quality policy, you can see the following articles:
- How to write a good quality policy: https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
- How does the ISO 9001:2015 revision affect the quality policy: https://advisera.com/9001academy/blog/2018/04/10/how-does-the-iso-90012015-revision-affect-the-quality-policy/
Regarding quality objectives - they are goals that can be measured and that are releva nt for the organization in order to increase customer satisfaction. They also must be consistent with the quality policy.
You will also must determine how and when quality objectives will be achieved, what resources will be needed, who will be responsible, and how the results will be assesed.
For more information about the quality objectives, you can see the following articles:
- How to write good quality objectives: https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- What has changed with quality objectives in ISO 9001:2015: https://advisera.com/9001academy/blog/2018/05/08/what-has-changed-with-quality-objectives-in-iso-90012015/
You can also see these materials to help you with the quality policy and quality objectives:
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
ISO 20000 for internet data center
Yes, ISO 20000 certification for internet data center is good idea.
Here are few benefits of the ISO 20000 implementation (and certification):
- proof of excellence in IT Service Management (ITSM)
- getting ITSM “under control” – meaning managed, measured and improved processes, clear roles&responsibilities, etc.
- distinctiveness from other, non ISO 20000 certified, companies
- integration of ITSM and business operation as well as stakeholders (and their expectations)
- “same language” inside organization
You can find out more in the article “5 key benefits of ISO 20000 implementation” https://advisera.com/20000academy/blog/2016/02/09/5-key-benefits-of-iso-20000-implementation/ -
Planning communication
Answer:
Your organization, with ISO 9001:2015 clause 4.2, determined relevant interested parties and their relevant requirements and/or expectations. So, considering those relevant interested parties, your organization should determine what needs to be communicated to each party in terms of the quality management system. For example, your organization may want to communicate process performance to employees, or health care results to clients or their families or the local community. For each “what to communicate” your organization should plan (I use a table):
when to communicate – once per month? once per year? Every quarter?
to whom communicate – clearly state who will be the recipients of communication
how will you communicate? – a newsletter? An internal meeting? An e-mail? A press release? An internal report?
Who will communicate? – Which function or functions will be responsible for the communication?
The following material will provide you information about communication:
- Communication requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/11/01/communication-requirements-according-to-iso-9001-2015/
- You can enroll for free in this ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Looking for consultancy work
I am a ISO lead auditor with 14 yrs experience in the standards and am looking also at expanding my portfolio to include IT ISO auditing
Any ideas or help appreciated.”
Answer:
Based on your experience description, I would start by contacting consultancy organizations in the market to offer my services as a freelance consultant. At the same time, I would start my commercial activity in order to find clients on my own, and I would develop my marketing activities by starting a blog, or any other way of showing my know-how and experience. About entering IT ISO auditing I can say that it is a very hot job right now with strong demand worldwide:
The following material will provide you information about getting clients as a consultant:
- How to get new clients for your ISO 9001 consultancy - https://advisera.com/9001academy/blog/2019/03/05/how-to-get-new-clients-for-your-iso-9001-consultancy/
- You c an enroll for free in this ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- ISO 27001:2013 Foundations Course - https://advisera.com/training/iso-27001-foundations-course/
- book - SECURE & SIMPLE: A Small-Business Guide to Implementing ISO 27001 On Your Own - https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Preparing an environmental risk assessment
Answer:
To prepare an environmental risk assessment I consider the definition of risk, the effect of uncertainty that can promote a deviation from intended results. This definition should focus out attention upon intended and unintended results. Then, considering clause 6.1.1 I look into environmental aspects and impacts and determine what possible positive or negative deviations can occur. For example, your organization can control and monitor wastewater quality. What can go wrong with that control or monitoring operation? Look also into compliance obligations, what can go wrong that impair your organization’s capability of complying with water quality discharge permit requirements? Look also into what comes out of context analysis, clauses 4.1 and 4.2. For example, can your organization take advantage of technological developments to improve raw materials consumption? Or consider trends in legislation that can increase environmental performance in a near future.
The follo wing material will provide you information about handling of environmental risks:
- Should you use a risk register for the ISO 14001 EMS? - https://advisera.com/14001academy/blog/2016/10/17/should-you-use-a-risk-register-for-the-iso-14001-ems/
- Risks and opportunities in ISO 14001:2015 – What they are and why they are importante - https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
- ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Queries about management review
#1 9.3.2. c) 1) -Does this section may include received certificates from different sponsorships as appreciation like from schools, or clearances/certificates for compliance/registration from different government agencies as required by law?
Answer:
Yes, as long as they allow your organization to perceive your client’s perception about your work. You can also include complaints, praises, client’s evaluations, for example.
#2 9.3.2. e) - What are the specific documents to be inserted or evaluated as source for presentation during the management review meeting/presentation?
Answer:
Your organization previously evaluated risks and opportunities and classified some of them as relevant. According to clause 6.1.2 a) your organization planned some actions to handle those relevant risks and opportunities. Later, your organization will upda te the list of risks and opportunities and their classification. At the management review organizations evaluate if their action plans were effective in reducing, minimizing or controlling risks, or taking advantage of opportunities. This can be evidenced through a risk and opportunities register with a column for evaluating action plans effectiveness.
#3 9.3.2. f)- Previous management review presented a SWOT Analysis, does this said document be updated for this coming new management review or is there any specific documents to be inserted or evaluated as source for presentation during the management review meeting/presentation?”
Answer:
SWOT analysis is more about clause 9.3.2. b).
Clause 9.3.2. f) is about general improvement opportunities resulting from considering all the inputs to the management review.
The following material will provide you information about management review:
- ISO 9001 – How to make Management Review more useful in the QMS - https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/
- How to Make Management Review More Practical - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/
- You can enroll for free in this ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Free webinar on demand – How to perform management review according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-perform-management-review-according-to-iso-9001-2015-free-webinar-on-demand/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/