Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Audit scope
We realise that we have common controls across our group as well as differences and our approach to implementation is to have a corporate control with localisations if required.
Will the auditing need to occur for each of our three companies or will the parent company only be audited? The answer to this question will have a bearing on whether the ISO implementation is separate in each company or we can share common controls.
Answer: The audit will have to be performed on all sites defined in your scope. Considering that, you have these options to consider:
- A single scope for all three companies. In this case all companies will have the same certification and will need to be audited during the same audit event.
- A scope for each company. In this case each company will have its own certificate and can be audited in a separated event.
A single certification means reduced cost, but increases the logistics complexity during the audit, as opposite to having a certification for each company.
Regarding common and specific controls, if you have a single scope this will not make difference in the audit event. As for adopting different scopes you will have to identify which company manages the corporate controls and include this information in the scope of the other companies, stating this situation as an relevant interface for these companies. -
Evidencing Leadership and commitment
Answer:
Objective evidence can be gathered through interviews, observation and documented information observation. For example:
evaluating alignment between information and other evidences shown during interviews with the practices, real performance and documented information;
evaluating participation in communication and awareness events;
ensuring that the EMS is integrated in the business management system;
ensuring resources for the operation and improvement of the EMS;
ensuring that actions are taken when there is a gap between real and desired performance
The following material will provide you information about leadership and commitment:
- ISO 14001 – How to demonstrate leadership according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2015/10/05/how-to-demonstrate-leadership-according-to-iso-140012015/
- List of ISO 14001 implementation steps - https://advisera.com/140 01academy/knowledgebase/list-of-iso-14001-implementation-steps/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
In-house verification instead of outside calibration
Answer:
First, do not forget that clause 7.1.5 is about monitoring and measuring resources used to verify conformity of products and services. Monitoring and measuring resources used to verify conformity of processes is not mandatory.
Second, your suggestion is acceptable and used by several organizations.
The following material will provide you information about monitoring and measuring resources:
- ISO 9001 – Analysis of measuring and monitoring requirements in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/analysis-of-measuring-and-monitoring-requirements-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/ ations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Integrating ISO 27001 to business
(1 - I would like to know more about the elements of document control procedures, corrective and preventive actions and internal audit. How specifically will I put this in the company's documentation what stage? In addition to document control procedures, corrective and preventive actions and internal audit, roles and responsibilities of employees, suppliers and third parties, contracting terms and conditions, operating procedures of information processing facilities.)
Answer: For detailed information about the issues you stated, I suggest you these articles:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
Regarding how you can implement these in you organization, you must first identify your organization's approach toward document control. If your organization has no document control procedure at all, I suggest you to take a look at the free demo of our Procedure for Document and Record Control at this link: https://advisera.com/27001academy/documentation/procedure-for-document-and-record-control/
Regarding contracting terms and conditions and operating procedures of information processing facilities, their content will depend on the results of a risk assessment to identify the relevant risks that must be treated.
These articles will provide you further explanation about ISO 27001:
- ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding IS 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001:2013 Internal Auditor course https://advisera.com/training/iso-27001-internal-auditor-course/
2 - Como se daria essas auditorias?
(2- How would these audits be done?)
Answer: The performing of internal audits follow these general steps:
- Audit planning
- Audit performing
- Audit report
- Audit treatments follow up
In the previous answer you can find additional references.
3 - O que é possível, prático e aceitável elaborar por tabelas?
(3 - What is possible, practical and acceptable to elaborate by tables?)
Answer: ISO 27001 does not define how to implement the documentation (only requires that documents and records must be controlled), so organizations are free to implement them as they see fit. So, tables are acceptable as a mean to control documents if they can fulfill the standard's requirements.
This article will provide you further explanation about document elaboration:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ -
Stage 1 and stage 2 audits
Answer:
Sorry, I cannot help you regarding ISO 2200 but about ISO 9001:2015 - First comes the stage 1 audit, the auditor (or audit team) will review the management system documentation and compare it with the requirements of the standard and will verify if the scope of certification is clear and doesn’t present a misleading information. Also included is a review to ensure that internal audits and management review are being planned and performed, and that the level of implementation of the management system indicates that the organization is prepared for the stage 2 audit.
If weaknesses are identified in the Stage 1 audit, these must be corrected by the organization before the Stage 2 audit.
While stage 1 audit is about documentation and is normally performed in a meeting room, stage 2 audit is performed at the places where people do t heir jobs and is much more practical, much more about whether the employees are complying with everything that is written in the documentation. This is achieved by means of interviewing the employees, examining the relevant documents, records, forms and guidelines and also by visiting relevant areas of the organization. The point is – the auditor can talk to anyone, visit any part of your company and see and document within the scope of the certification.
The following material will provide you information about implementing a QMS:
- ISO 9001 – How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Preparing for ISO Certification Audit: A Plain English Guide - https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/ -
Categories of Personal Data
For example: If this processing includes bank account number, which in its own right is not enough to identify a „Data Subject“, should we include that in the „Categories of Personal Data“ column? What about amounts, dates etc. ?
Answer:
Personal data is defined in EU GDPR article 4 – “ Definitions“ https://advisera.com/gdpr/definitions/ ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physio logical, genetic, mental, economic, cultural or social identity of that natural person. You can easily observe that the definition is very broad.
Coming back to your question you need to put in there also that information which relates to a data subjects and bank account is one of these information. To continue with some examples you can use the following taxonomy:
□ Personal master data (e.g. Name, surname, date of birth,)
□ Communication data (e.g. telephone, e-mail, address)
□ Contract master data (contractual relationship, product or contract interest)
□ Customer history
□ Contractual invoicing and payment data
□ Planning and control data.
□ Academic and professional data (training / qualifications, professional experience).
□ Employment details (work center, job position and department).
□ IP addresses
□ Transaction data (bank accounts, transaction history etc.)
To learn more about personal data under the EU GDPR see this free online training GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// -
Filing criteria
Answer:
There is no universal rule for filing ISO 14001 records. You can file by clauses or, for example by topics like: Calibration Records for Monitoring & Measurement Equipment or Compliance obligations records
The following material will provide you information about records of an EMS:
- ISO 14001 – ISO 14001 Control of Records - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-control-of-records/
- How to structure ISO 14001 documentation - - https://advisera.com/14001academy/blog/2016/11/28/how-to-structure-iso-14001-documentation/
Checklist of Mandatory Documentation Required by ISO 14001:2015 - https://info.advisera.com/hubfs/14001Academy/14001Academy_FreeDownloads/Checklist_of_ISO14001-2015_Mandatory_Documentation_EN.pdf?t=1493193615266
- book - TH E ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Implementation duration
Answer:
It is a big challenge, their present QMS is pre-process approach that was introduced in 2000. Do not try to do it alone, arrange a team to implement the new QMS. I do not know the dimension of your organization, but consider the following advice:
The duration of implementation depends primarily on the size of the organization, for example:
Smaller organizations (up to 50 employees) usually implement the standard in less than 8 months.
Mid-size organizations (up to 500 employees) usually implement the standard in 8 to 12 months.
Large organizations (500 employees and more) – implementation usually lasts 12 to 15 months.
Beware of companies that drag such projects on for too long (e.g., small companies for more than 12 months) usually never finish the project.
The following material will provide you information about implementing a QMS:
- ISO 9001 – Five tips to ensure your ISO 9001:2015 implementation is successful - https://advisera.com/9001academy/blog/2016/10/04/five-tips-to-ensure-your-iso-90012015-implementation-is-successful/
- How long does it take to implement an ISO 9001-based QMS? - https://advisera.com/9001academy/blog/2016/07/05/how-long-does-it-take-to-implement-an-iso-9001-based-qms/
- Gaining employee buy-in for your ISO 9001:2015 implementation - https://advisera.com/9001academy/blog/2015/12/15/gaining-employee-buy-in-for-your-iso-90012015-implementation/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
AS9100 Rev D requirements for FAI
Answer:
You are correct. In clause 8.5.1.3 of AS9100 Rev D, which covers Production Process Verification, there are the requirements which are referred to as First Article Inspection (FAI). The requirements within this clause make no reference to AS9102, and therefore the process of AS9102 is not a requirement of AS9100 Rev D. So, unless you are required by customer to use the AS9102 process and forms these requirements can be fulfilled in other ways as you determine adequate.
For more information on this see the article: https://advisera.com/9100academy/blog/2017/11/07/how-does-first-article-inspection-fit-into-as9100-rev-d/ -
ISMS implementation strategies
Option 1: Documentation Toolkit
Option 2: Conformio (As I understand, it comes to together with documentation template).
It seems that some consultancy is still needed for this company. What is your advise? How much consultancy is needed?
The scope is - NOC & SOC. (Staff around 15)
Total number of Staff 20 to 30.
Answer: The extent to which a consultancy is needed depends on the complexity and size of the scope, on the extent of the organization, and on the time and resources available. Considering that, and the information you already provided, the options would be:
- Use a consultant to perform most of the effort to implement the ISMS
- Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.
Each one of them have their advantages and disadvantages. For more information, I suggest you the following materials:
- 3 strategic options to implement any ISO standar d https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
2 - What is the rough estimate timeline for ISMS implementation.
Answer: With the information you provided, the implementation duration would be something between 3 and 12 months. For a more precise estimative, considering the aspects mentioned on the first answer, I suggest you to use our Free Calculator – Duration of ISO 27001/ISO 22301 Implementation at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
For more information, please see these articles:
- How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
3 - What will be steps and best approach for me to assist this company.
Answer: Roughly speaking, ISO 27001 implementation steps can be resumed in:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform risk assessment and define risk treatment plan;
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions and opportunities for improvement.
This article will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding the approach, please see the first answer.
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/