Search results

ISO 13485 Internal Auditor

One solution is that all of you are educated for internal auditors and audit each other. Another solution is to hire an external company that will provide the internal audit for you. It can be a consultant company that knows the ISO 13485 (you need proof of that), or a person who is an auditor for other notify bodies and with whom you will have a contract that he/she is your internal auditor.   

Special Interest Groups

Examples of special interest groups are manufacturers, specialized forums, and professional associations. The government is another example of a special interest group.

This article will provide you with further explanation about special interest groups:

• Special interest groups: A useful resource to support your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms

SOA Based ISMS Manual

If I understood correctly, you’ve sent the SoA-based ISMS Manual.

Considering that, first is important to note that an SoA compliant with ISO 27001 must contain the following information:

• All applied controls
• Justification for inclusions
• Implementation status
• justification for exclusions of controls from Annex A

In case any of this information is missing, the SoA document will not be accepted by an auditor.

As for the 2nd level document (the SoA Based ISMS Manual), we do not recommend such an approach to our customers, because this kind of document requires a great effort to be written but is of very limited use for employees in the company. Instead, you should focus on writing the security policies and procedures (included in your toolkit) that describe how to implement and maintain security in your company.

For further information about an ISMS manual, please see:

• Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/

• Position Description Question

  ISO 27001 does not prescribe how to define information security roles and responsibilities, so organizations are free to define them as best fit their needs, i.e., either as roles and responsibilities included in an existing Position Description that performs some information security activities (e.g., the Network Engineer) or as roles and responsibilities in a new Position Description on which information security is the core activities (e.g., the Chief Information Security Officer). 

  Considering your example, in small and midsized businesses, a Network Engineer can perform information security activities (e.g., backup), then roles and responsibilities can be included in this Position Description. In bigger companies, it may be required that you have a specific role to perform a backup, so a Backup Engineer may be a required Position Description.

  This article will provide you with further explanation about documenting roles and responsibilities:

  • How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

  • Necessity to include specific user

    In case he is providing only sporadic consultation about the documents and does not have specific roles and/or activities to perform regarding your ISMS documentation, he does not need to be included as a user in Conformio.

    Regarding ISO 27001, as consultant, you only need to ensure that any relevant performed action or made decision involving this person is recorded. In this case you have two alternatives:
    1 – include this person as user in Conformio, so you can use Conformio to assign, track and record activities assigned to him (e.g., ask him to review a document).
    2 – in case he is not a Conformio’s user, you need to send documents you want him to review and update to Conformio his answers (e.g., an email, a meeting minute, etc.).

    Please note that you do not need to define any role in the ISMS documents to have this consultant as Conformio’s user (in this case he will only be common user).

  • HR as asset and risk owner of SA

    Clear explanation!

  • ISO 9001:2015 Clause 6.2.2.

    An organization sets quality objectives. For each objective, you need to determine:

    • What needs to be done to change the organization's practices in order to be able to achieve the objectives;
    • What resources will be required
    • Who will be responsible for achieving each objective
    • What timeframe to achieve the objective
    • How will you know that the objective has been achieved? What is the target, what are the success criteria to evaluate if an objective was actually achieved? 

    Does it make sense for you now?

    The following material will provide you with more information:

    • How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/blog/2016/05/24/define-key-performance-indicators-qms-based-iso-9001/
    • How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
    • Please check this free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
    • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    • Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

    • Asset inventory

      Control A.8.1.1 does not prescribe how to define assets, so for assets that share the same threats and vulnerabilities, they can be defined with a single asset, as in your example “expert employees”, it is not necessary to define them individually. The same goes for the “employee computers” example.

      For more information on asset inventory, see:

      • Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    • Potential risks and opportunities associated with a road construction firm

      With your question I am assuming you are talking about the new requirements on Other Risks and Other Opportunities rather than OH&S Risks and OH&S Opportunities which are associated with Hazards identified in the organization. These new requirements ask you to think of other strategic-level risks that could impact your ability to prevent injury and ill health in the workplace, as well as other opportunities to improve the performance of the OHSMS.

      Unfortunately, this will be very unique to your specific organization and not just generic to road construction, so I can not just provide you with a listing. For instance, a strategic risk could include finding out a supplier was going out of business which might affect your access to safety equipment, and a strategic opportunity could include a supplier developing a new machine that could positively impact safety in your organization. It is these strategic-level risks and opportunities that you need to include in your planning for the OHSMS.

      For more information on risks and opportunities in the ISO 45001 standard, see the articles:

      • What are the new requirements for risks and opportunities according to ISO 45001? https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/
      • The basics of ISO 45001 hazards, risks, and opportunities https://advisera.com/45001academy/blog/2021/02/22/the-basics-of-iso-45001-hazards-risks-and-opportunities/