Search results

ISO 9001 & Hazard Analysis

ISO 9001:2015 does not reference the use of Hazard Analysis. I only consider its use mandatory if prescribed in a contract or in other compliance obligations.

You can find more information below about risks.

• How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
• How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
• For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (I use a lot of examples based on the risk-based approach)

BIA process

From your question I’m understanding that in your scenario you have a specific business unit responsible for information security in the organization, and that you performed a BIA for each department in the organization.

Considering that, please note that a BIA will give you information about impact on business continuity specifically for the scope where it is applied (i.e., the BIA for a department will give you information about that specific department only).

So, to have information about business continuity impact on the information security department, you need to perform a BIA on this department. The BIA in each department needs to be performed using the same methodology, i.e. the same set of rules so that the results are comparable.

These articles will provide you a further explanation about performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Five Tips for Successful Business Impact Analysis https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/

These materials will also help you regarding BIA:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/

ISO 27001 and HiTrust

You can use ISO 27001 framework to partially support HITRUST controls implementation, maintenance, and improvement (i.e., ISO 27001 does not cover the whole HITRUST).

ISO 27001 involves the implementation of a high-level information security management system, while HITRUST involves detailed requirements and controls for the secure creation, access, storage, and exchange of sensitive and/or regulated data.

For more information, please access this link: https://hitrustalliance.net/uploads/CSFComparisonWhitpaper.pdf

If you are interested in the help of ISO 27001, maybe our templates can be interesting for you, so you can download a free version here by clicking on “DOWNLOAD FREE TOOLKIT DEMO”: https://advisera.com/27001academy/iso-27001-documentation-toolkit/ 

By the way, ISO 27799, which is similar to ISO 27001, is an international standard that also focuses on information security for health organizations.

These articles will provide you a further explanation about ISO 27001 applicable to health organizations:
- How ISO 27001 and ISO 27799 complement each other in health organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/
- Comparison of HIPAA compliance and ISO 27001 certification https://advisera.com/27001academy/blog/2021/01/27/hipaa-compliance-vs-iso-27001/

Nonconformity question

First, I don’t use the word “observation” because it is not defined in ISO 9000:2015.

Second, I would raise a non-conformity as being the equipment out of use and without being properly identified as such can promote inadvertent use. Something like:

Measuring equipment shall be identified in order to determine their status (ISO 9001:2015 clause 7.1.5.2b)).
When auditing the production area an equipment was found to be past due for calibration and without status identification, as such can promote inadvertent use.
During the audit a UV-VIS  spectrometer was found to be past due for calibration in the production area. When questioned, the department manager said that the equipment was out of order; but there is no warning sign indicating that.

You can find more information below:

• Monitoring and Measurement Equipment Control - https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
   

ISO 27001 and TISAX

While ISO 27001 and TISAX share information security as the main goal, allowing them to be compared, TISAX is more specific, adding specific security controls for connection with third parties, prototype protection, and data protection.

For further information, see:

• How ISO 27001 and TISAX are related https://advisera.com/27001academy/blog/2019/03/11/how-iso-27001-and-tisax-are-related/

ISO 27001 / Conformio questions

1. Can I as the Project Manager of the ISO 27001 also conduct the Internal Audit? Or should this be done by someone who is not as involved in the project implementation?

The project manager is involved in most of the activities related to the implementation of the ISO 27001, and since one requirement to be observed for an auditor is impartiality (an auditor cannot audit his own work), this person will not be able to perform the auditor role.

The best course of action would be to train an employee to perform internal auditor or hire an external auditor.

These articles will provide you with further explanation about internal audit:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
• Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/

2. When should the first Management review be conducted? At the end when we have all of the documents, or while we are implementing the policies and procedures? I am asking this because there are some items that have first occurrence set as one month after the start of the project so now I am afraid that I was supposed to do this from the beginning.

ISO 27001 does not prescribe when the first management review needs to be performed, so organizations can schedule it as they see fit.

For a certification implementation project, you can consider smaller management reviews during the project, and the first official management review once the implementation is over.

For further information, see:

• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

Process vs Procedure

Thank you!

Addressing Annex A clauses

Please note that the toolkit you bought has all mandatory documents required by the standard and the most commonly used ones. They are all you need to address the clauses and Annex A of the standard. No additional document is required.

Included in the toolkit there is a List of documents file that will show you which clauses and controls of the standard are covered by each document.

Writing a single big document is not recommended because it will become too complex to read and maintain.

For further information, see:

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

These materials will also help you regarding the implementation of ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/