Search results

How to become good assessor for ISO 17025:2017?

As the principle of Auditing the management component of all Quality management systems, including ISO 17025 involves the same approach and techniques, you could benefit form the Internal Auditor training offered by the ISO 9001 Academy. Have a look her for further information https://advisera.com/training/iso-9001-internal-auditor-course. To strengthen your skills with ISO 17025 technical assessments, I suggest refresher self-learning on the purpose of ISO 17025 and its risk-based approach.

The following will provide more information for you on Auditing and ISO 17025:

How to perform an internal audit using ISO 19011 at https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011

ISO 17025 document template: Internal Audit Procedure at https://advisera.com/17025academy/documentation/internal-audit-procedure/

The Five Internal Audit Procedure appendices Internal Audit Program, Internal Audit Checklist, Audit Nonconformity Report, Internal Audit Process Checklist and Internal Audit Report are available separately from the procedure link above; or included in the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

The Book - ISO internal audit: A plain English guide at https://advisera.com/books/iso-internal-audit-plain-english-guide/

ISO 27001 single templates

I’m assuming that by SABS you mean the South African Bureau of Standards, and you are referring to SANS 27001:2015, which requirements are exactly the same as ISO 27001:2013.  

Considering that, the standard clause 4.1 does not require external and internal issues to be documented, so a template regarding this clause is not necessary.

For further information about context and external and internal issues, see:

• How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

Regarding clause 4.3, you can use the ISMS Scope Document template: https://advisera.com/27001academy/documentation/isms-scope-document/

For further information about ISMS scope definition, see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
• How To Set ISMS Scope According to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

• Documentation request

  Please note that only some of these documents are mandatory for an ISO 27001 certified organization (e.g., ISMS scope, and the Information Security Policy), while others will depend if you have implemented some specific controls (e.g., control A.9.1.1 – Access Control Policy requires an Access Control Policy to be documented), and others are not needed at all (e.g., Context of organization, ISMG Governance and Training Matrix).

  For a list of mandatory documents for ISO 27001-certified companies, please see:

  • List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  Considering that, unless this request from the customer is based on a contract or service agreement you have with that company, you do not need to have the documents not required by the main clauses of the standard, or by specific controls you implemented.

  You have to consider how important this customer is to you and based on this, decide if you will write these documents.

  Regarding the mandatory documents, you should sign an NDA with the customer before providing the documents.

• Clause 4.1 in Conformio

  Please note that external and internal issues relevant to the ISMS can be evidenced in Conformio through:

• The 'Register of legal, contractual and other requirements' module, which generates a document called "List of Legal, Regulatory and Contractual Requirements".
• The 'Risk register' modules which cover the processes of risk assessment, treatment, and management and generate a document: "Risk Assessment and Risk Treatment Report".

Both modules take into account external and internal issues for the definition of the mentioned documents.

For further information, see:

• 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
• How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

• How to implement ISO 45001 in developing countries and small medium scale industries?

  Hi, Implementing ISO 45001 can be both rewarding and challenging due to limited resources, practical approach.. 

• Question on risk assessment

  Please note that the purpose of the Risk Treatment Plan is to determine precisely who is responsible for the implementation of controls, in which time frame, with what budget, etc., so you do not need to present any risks in the Risk Treatment Plan

  For further information, see:

  • Risk Treatment Plan vs. risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section19

• ISO 45001 Future Changes

  Although I am not on the technical committee, and cannot say for certain what will happen, I can predict a bit from what I know. In general, the Iso technical committees will look at the standards about every 5 years to see what changes are needed. If we look at the oldest management system standard (ISO 9001), this followed the cycle of a major release (1987), minor changes (1994), a major change (2000), minor changes (2008), and then a major change in 2015 to align with other management system standards. So, following this I would expect minor changes in the net revision of ISO 45001, but nothing major. This will also be delayed a bit due to the delayed transition from OHSAS 18001 for the pandemic, and future major changes will likely be harder to do where they affect the alignment with other ISO management system standards or to change how any management system utilizes the management principles (such as the process approach).

  In short, I don’t see any revolutionary changes to being ISO compliant in the next 5 years.

  For a bit more on the crucial management principle of the process approach, see the article:

  • Process approach application in ISO 45001 implementation of health & safety https://advisera.com/45001academy/blog/2017/03/15/process-approach-application-in-iso-45001-implementation-of-health-safety/

  • ISO 27002

    This will depend on the date you want to be certified. If you want to be certified before March 2023 - go with the 2013 revision, after March 2023 go with the 2022 revision.

    Please note that after the release of the new version of ISO 27001, any required changes will have a transition period to be implemented (this transition period will be of three years after the management system standard is released, which is plenty of time to do this transition for most controls).

    For further information, see

    • 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/
    • Should you start implementing ISO 27001 2013 or 2022 revision? https://advisera.com/insight/chatbot-implement-iso-27001-2013-or-2022-revision/