Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk register example
Answer:
To see how a risk register looks like I suggest you to take a look at the free demo of this Risk Assessment Table at this link: https://advisera.com/27001academy/documentation/risk-assessment-table/
This document can help you list all information resources, vulnerabilities and threats, and assess the level of risk. -
Audit days
Answer:
The main criteria are number of employees and audit complexity. The document you must consider is the IAF MD 5:2015 "Determination of Audit Time of Quality and Environmental Management Systems" and you can find it at this link: https://www.iaf.nu/upFiles/IAFMD5QMSEMSAuditDurationIssue311062015.pdf
Although it's title refers to QMS and EMS it also can be applied to estimate audit days for an ISMS certification audit.
These articles will provide you further explanation about certification audit:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
These materials will also help you regarding certification audit:
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/ -
Integrating ISO 9001 and ISO 27001
So we can be 100% certain we have completed every single document within the 9001 necessary for the auditors, can you please provide a specific list of 9001 documents that have not been covered in 27001, that we need to complete.
Answer:
Mandatory documents for ISO 9001 which do not exist on ISO 27001 Toolkit are:
- Scope of the QMS (clause 4.3)
- Quality policy (clause 5.2)
- Quality objectives (clause 6.2)
- Criteria for evaluation and selection of suppliers (clause 8.4.1)
As for mandatory records:
- Monitoring and measuring equipment calibration records* (clause 7.1.5.1)
- Product/service requirements review records (clause 8.2.3.2)
- Record about design and development outputs review* (clause 8.3.2)
- Records about design and development i nputs* (clause 8.3.3)
- Records of design and development controls* (clause 8.3.4)
- Records of design and development outputs *(clause 8.3.5)
- Design and development changes records* (clause 8.3.6)
- Characteristics of product to be produced and service to be provided (clause 8.5.1)
- Records about customer property (clause 8.5.3)
- Production/service provision change control records (clause 8.5.6)
- Record of conformity of product/service with acceptance criteria (clause 8.6)
- Record of nonconforming outputs (clause 8.7.2)
- Monitoring and measurement results (clause 9.1.1)
Please note that records marked with * are only mandatory in cases when the relevant clause is not excluded.
This article will provide you additional information:
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/ -
Project plan template content
Answer: The project plan template was designed to consider the implementation of both ISO 22301 and ISO 27001, but you can use it for implementing a single standard. To do that you only have to exclude the parts related to the standard you won't be implementing (these parts are indicated by the comments included in the template).
2 Do we have to do BCP as part of ISO or can we do after?
Answer: Implementation of ISO 27001 does not require implementation of a BCP, only a disaster recovery plan related to Information Technology infrastructure if you have risks or legal requirements that demands its implementation.
The Disaster Recovery Plan template can be found on folder 8 Annex A, subfolder A.17 Business continuity
This article will provide you further information:
- Business Continuity Management vs. Information Security vs . IT Disaster Recovery https://advisera.com/27001academy/blog/2017/02/27/business-continuity-management-vs-information-security-vs-it-disaster-recovery/ -
Policy development
I could certainly use some guidance from you - just in the above mentioned areas. FYI - The statement of applicability is being crafted and should be done in a couple of weeks
Answer:
First it is important to understand that useful policies and procedures are not developed to cover specific clauses of the standard. They are developed to describe and help you better run your processes, including pertinent controls when applicable. Considering that, I suggest you to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
This demo contains parts of several policies and procedures to help you understand how these documents look like.
Regarding how to develop poli ces and procedures, the first step is to identify which requirements the policy or procedure must fulfill. For example, your organization may have contracts, laws, or regulations with clauses defining a specific approach for a security solution. After identifying those requirements you should consider the context of your organization regarding size, processes complexity, and staff maturity.
These articles will provide you further explanation about documents development:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures// -
Recording interested parties
Answer:
You can state ‘employees’, ‘clients’, ‘suppliers’, and ‘shareholders’ as your interested parties with no problems, but if you have some specific critical stakeholders (e.g., high revenue customers, single suppliers for critical products, etc.) we recommend you to state them individually.
This article will provide you further explanation about interested parties:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Stage 2 audit requirements
What do they need at a minimum for Stage 2? Will they need to see evidence of control of the manufacture, and how do we provide that if we aren't that far along yet?
Answer:
In a Stage 2 audit, you need to present documented evidence to the auditor to prove that your company’s QMS is in compliance with ISO 13485 .This will include records, agreements such as Quality Agreement also termed as technical agreement signed between the product owner and the manufacturers engaged to control the quality of the product which can include specifications of the product, batch release details, responsibilities and role of parties involved. and practices.
They definitely would need to see the evidence of control of manufacture. What I can suggest would be if you could present some form of writt en commercial agreement to each manufacturer that can also present the requirements and specifications of the product, that might help you and also try to get the draft quality agreement.
For more information, please feel free to look at the following material:
Checklist of ISO 13485 implementation and certification steps:
https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
First-, Second- & Third-Party Audits for medical device manufacturers & suppliers
https://advisera.com/13485academy/knowledgebase/first-second-third-party-audits-for-medical-device-manufacturers-suppliers/ -
Corruption, bribery and risks
Answer:
ISO 9001:2015 does not say anything specific about corruption or bribery. However, corruption and bribery can be determined and evaluated as relevant business risks. In that case, organizations should develop action plans to handle those risks.
The following material will provide you information about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Documenting authorities in ISO 45001
Answer:
Unfortunately, this is not what the standard says. The ISO 45001:2018 standard does not specifically require that roles, responsibilities and authorities be assigned by name, only that they need to be assigned for the OHSMS. In fact, it is often helpful to use a more flexible term in your documents rather than the name or position title as when people change positions in your organization, titles change, or people leave you will then need to update all of the documents to reflect these changes. That being said, it is a helpful best practice to know who authored a document for the purposes of clarification when questions arise.
For more on OH&S responsibilities, see this article (the information has not changed with the release of ISO 45001): How roles and responsibilities have changed in DIS/ISO 45001, https://advisera.com/18001academy/blog/2016/04/06/how-roles-and-responsibilities-have-changed-in-disiso-45001/ -
Control of office documentation
Response:
It is up to your company how to handle documentation (external and internal documented information) and how to archive them. What it is important firstly is that the organization determines which of all that documentation is necessary for the effectiveness of the Quality Management System, including of course the mandatory documented information required by the ISO 9001 standard. These requirements are defined in the section 7.5 of the standard.
I would recommend you to write a procedure for documented information control that includes all the above requirements helping your organization to follow a systematic structure regarding your documentation. Here you can download a free preview of our procedure - Procedure for document and r ecord control: https://advisera.com/9001academy/documentation/procedure-document-record-control/ Then you can have a list of internal documentation and external documentation that is relevant for the effectiveness of the QMS processes.
You can see these materials to help you with the documented information control:
- Article - new approach to document and record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Book - Managing ISO documentation: a plain English guide: https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Book – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- Free on-line training – ISO 14001:2015 Foundations: https://advisera.com/training/iso-14001-internal-auditor-course/