Search results

ISO 27001 question

ISO 27001 does not prescribe document code to be used in ISMS documents, only that appropriate identification is used.

This article will provide you with further explanation about document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

In Conformio, the following information is used to identify documents:
- Document Version
- Last Update
- Author
- Reviewers
- Approver
- Owner

Acceptable or Not Acceptable

Question regarding ISO27001 implementation - Interested parties

Your understanding is correct.

This template is to be considered for laws, regulations, and contracts that can impact information security and the ISMS objectives (e.g., the WEEE directive). Legal requirements related to other subjects do not need to be considered for this template, they would only make the document unnecessarily complex.

Regarding providers, their contracts and services agreements are handled by means of the Supplier Security Policy.

For further information, see:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

Change of GDPR document

While the Regulation remained the same, we kept improving our GDPR Toolkits with new and improved documents. At this moment the most comprehensive toolkit is the EU GDPR PREMIUM DOCUMENTATION TOOLKIT. There are over 70 document templates that you can use to boost your GDPR compliance project, video tutorials on how and when to use these templates as well as email support and expert review of documents. A full list of documents can be consulted here: https://advisera.com/wp-content/uploads//sites/15/2021/12/List_of_documents_EU_GDPR_Premium_Documentation_Toolkit_EN.pdf .

Please check out our EU GDPR PREMIUM DOCUMENTATION TOOLKIT: https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/

Should ISO 17025 accredited laboratory be certified with ISO 9001?

No it is not necessary unless a large organisation wishes to go for ISO 9001 ceritifcation for support departments like HR and Finance. A laboratory that is accredited to ISO 17025 conforms to the requirements of ISO 17025 clause 8, Management requirements for laboratory activities. As these are the clauses covered in ISO 9001 management, It is considered that the laboratory fulfils the intent of ISO 9001. 

ISO 27001 external audit for rest of employees

In interviews with employees, the certification auditor will look if people are familiar with the documentation and use them while performing daily activities, i.e., check that the ISMS is working in the company.

Considering that, the auditor will make questions about their degree of knowledge of, at least, the most important documents that apply to them: Information Security Policy, confidentiality clauses, acceptable use of assets, Access Control Policy, etc.

Examples of possible questions are:

• “Do you have access to the internal rules of the organization in relation to information security?”
• “Can you show me some of the related policies?”
• “Could you tell me what are the points that you consider most important in the policy?”

For further information, see:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

Please note that when you say “the rest of *** employees (the ones who are not currently set up to be members of the ISMS in Conformio).”, for certification purposes you need to consider only those employees that are part of the ISMS scope (the auditor will not interview people outside the ISMS scope).

ISO 27001 toolkit

Customers that bought the toolkit in the last twelve months from the release of the new ISO 27001 will receive the updated documents, as well as information about what has changed and guidance on what changes in other documents.

For further information, see:

• 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

About ISO 27017 and ISO 27018, apart from specific templates, we have a toolkit integrating these templates into an ISO 27001 ISMS: https://advisera.com/27001academy/iso-27001-iso-27017-iso-27018-cloud-documentation-toolkit/

From this link, you can download a free demo of the documents for evaluation. Additionally, in the toolkit, you will find a "List of documents" file that shows which templates cover which clauses from ISO 27017 and ISO 27018.  

These articles will provide you with a further explanation of ISO 27017 and ISO 27018:

• ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
• ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

Sampling and testing

I assume you are referring to accreditation ? There is no mandatory requirement to include sampling. It depends on the purpose of the test, i.e what the result is being used for. Certain test results that confirm a pass of a regulatory specification will require sampling to a specific plan. This may however be performed by another party. Many contract laboratories are not involved with sampling. In that case their scope of work excludes sampling. If the laboratory has no control over the sampling, then a statement must be put on the report that the results represent the sample received, not the source

If the laboratory is not responsible for sampling however uses a standard test method which includes sampling, then effectively they are performing a modified standard method. This might impact on the method validation studies. Reference to the method on the Schedule of accrediiton needs to indicate it was modified. 

Difference between application of this ISO for calibration labs and testing labs

As calibration laboratories provide service to testing laboratories to calibrate equipment, they have specific requirements in terms of their own equipment performance, measurement uncertainty and metrological traceability of their methods to national and international standards. They also have specific report requirements. Depending on the type of calibration performed, for example Volume or Humidity, calibration laboratories have to meet specific requirements of the accreditation body for that program. This involves submitting measurement of uncertainty budgets and calculations of method capability. Personnel responsible for releasing results in a calibration laboratory may also need to have a particular qualification or certification.

For more information on ISO 17025, have a look at the ISO 17025 toolkit and available toolkit documents. They are available for preview or purchase at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

If you need more information on measurement uncertainty, see the Q&A https://community.advisera.com/topic/toolkit-content-39/