Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Questions about ISO 27001 controls in Conformio
1. We have a question about this Time synchronization control - the control in Conformio says to use accurate time clocks and synchronize them automatically. We have a system in place to synchronize clocks and our laptops that the employees use are also synchronized via google services. We would like to understand if we should write a policy about this and what can we expect during the audit? Will the auditor ask to see how we do this for all clocks and laptops or will he ask for a random one? Would this also be applicable to tablets? This is the task I am referring to
(control A12.4.4)Answer: ISO 27001 does not require control A.12.4.4 - Clock synchronization to be documented, so you can simply add the information on how it is implemented in the Statement of Applicability, by accessing it through the Statement of Applicability module.
Regarding activities during the audit, the auditor will want to see how you planned to implement this control (he can find this information in the SoA as we suggested) and choose some random devices to verify the implementation. All devices that have access to the information you want to protect (as defined in the ISMS scope) need to be covered by this control if it is applicable, including tablets.
2. We have similar questions around the task "Make sure all computers use anti-malware" related to control A 12.2.1 - what would the auditor check in relation to this and do we need a written policy on how we handle this in our organization?
Answer: Control A.12.2.1 - Controls against malware also do not need to be documented, but as a commonly adopted practice, in case this control is defined as applicable, its implementation is documented in the IT Security Policy.
Regarding activities during the audit, the auditor will check if what was defined in the IT Security Policy is implemented.
For further information, see:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
3. Also, the standard uses the word elements to be considered and they give 10 recommendations? Are these recommendations or do we need do everything that is listed?Answer: From the extra information you’ve sent, I identified that you are referring to ISO 27002 in this question.
Considering that, please note that ISO 27002 is not mandatory for implementing ISO 27001. ISO 27002 is usually used by consultants who want to learn more about the standard.
For example, the implementation of whitelists or blacklists (recommendations b and c for control A.12.2.1 – Controls against malware) are necessary only in case you have relevant risks that can be treated by implementing such lists, or if you have to be compliant with a law, regulation or contract that demands the implementation of such lists.
-
Complying with IATF
Generally, MTTR, MTBF, break down percentage, line stop hours or minutes, etc. are followed as maintenance process indicators and targets.
In general, the parts of the IATF 16949:2016 standard related to the maintenance process; Articles 8.5.1.4, 8.5.1.5, 8.5.1.6,7.1.4.1, and 6.1.2.3.
These topics are plant, production, measurement, etc. periodic maintenance of equipment, predictive maintenance, preventive maintenance, TPM, break down maintenance, cleanliness, repair and contingency actions, and plans to prevent the production and/or delivery to the customer.
In particular, I recommend that you examine these 3 items closely.
-
Is Security Awareness training complaint enough for ISO 27001 audit?
Please note that the awareness training included with your Conformio plan covers the most common topics related to general employees training and awareness, but to be sure if it is enough for auditing purposes you need to verify the results of your risk assessment and applicable legal requirements (i.e., laws, regulations, and contracts) to check if no specific additional training is required.
For further information, see:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
-
Best laboratory practices
General best practices in laboratories involve establishing a quality management system with criteria for a safe working environment, efficient processes and valid results. The specifics depend on the type of laboratory. For example, for non-clinical safety studies, the Organisation for Economic Co-operation and Development (OECD) sets out Principles of Good Laboratory Practice (GLP) to ensure the quality and integrity of test data related to non-clinical safety studies.
ISO 17025 is the basis of the quality management system for testing and calibration laboratories. Then depending on the sector and risk, practices for safety and environmental protection could include certification to other ISO or other international standards, for example, ISO 14001.
For more information to meet ISO 17025 requirements, see the complimentary white paper (PDF) Clause-by-clause explanation of ISO 17025:2017 available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ and the ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/
-
Extended Manufacturing Site
Extended üretim sahası kuralları için IATF Rules revizyon 5, Annex 4’ü gözden geçirmenizi tavsiye ederim.
Özellikle extended manufacturing site için; ‘’ özerk karar vermeme yetkisine sahip olmamak’’ önemlidir ve ana üretim sahasına bağlı olmalıdır.
Bir çok ana aktivite; üst yöntim, kalite yönetim, vb gibi konular; ana saha tarafından yürütülmelidir.
Hatta, extended manufacturing site’da; sadece üretim, kalite gibi operatörlerin olmasıda isteniyor olabilir.
Bunun haricinde belgelendirme şirketiniz ile de görüşmenizi tavsiye ederim.
-
Requirement of compulsory annual health check-up of employees
No, there is no such a requirement from ISO 13485:2016.
-
Validation and accreditation questions
You asked
1) must the process of sample size reduction for analysis be included in the validation process for accreditation?
I understand it the sample size reduction is part of sample preparation, not sampling (from source), so yes that step must be included in your method validation. The sample preparation variability must be evaluated.
You also asked
2) can you validate this as one method, even though different size reduction requirements and dilutions are used prior to analysis?"
You can validate as one method if the same in-house or standard testing method is followed, and the dissolution and analytical part of the validation is common,
As an example. an accredited would be stated as Procedure for the dissolution of crushed ore, waste ore and concentrate (final product) with analysis by ICP-OES. For accreditation you must specify the Material or product tested, the Standard Specifications, Techniques / Equipment used, the Type of Tests / Properties Measured, and Range of Measurement (if applicable, for example your limit of detection is a restriction).
-
organization have no work order since 2 years
I am afraid that for a full answer to this question you will need to talk to your certification body, because AS9100 gives you the requirements on how to create an aerospace QMS, but it does not tell you how to audit it. Even ISO 19011, the guidelines for management system auditing, does not go into this sort of detail. The standard gives you the information on how to create the processes, which processes are needed, and some of the requirements they need to meet; but not how to assess these processes when a company has not had aerospace customers for a while. It also does not talk about if you do or do not have customers.
That being said, documented records are not the only information used to audit the processes of the QMS. You may be able to assess the processes through interview where records do not exist because there have been no customers. It can be enough to know that the processes are in palce, understood, and ready for when a customer returns.
You can learn a bit more on how the certification audit works in the article: What to expect at the ISO certification audit: What the auditor can and cannot do, https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit
-
Auditor Questions Allowed
When preparing for an audit of the OHSMS it is important to realize that the management system can not simply meet the requirements of ISO 45001, it also needs to incorporate legal and other requirements of interested parties which is why the standard asks that you identify these as part of clause 4.2. What this means is that during an audit you are not asking questions about the standard, since people in the organization may not know what the standard says, but rather questions about the process this is implemented which will include all requirements including ISO 45001.
This means what you need to do is to review the process in place to see what questions you need to ask to assess if the process is implemented as planned. If people are doing the process as planned, and the process meets the requirements of ISO 45001 and the needs and expectations of interested parties, then you are assessing if the requirements of the process are met in your audit.
You can learn more on how auditing works in the article: How to perform an internal audit using ISO 19011, https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011
-
UK -GDPR
If you are working in the company, this would be considered as a transfer of personal data (Transfers of personal data to third countries or international organizations) falling under Chapter V in UK GDPR. So there should be a legal basis to be used. In your case, it depends on where your employment contract is. If your employment contract is in the UK but you reside outside the UK, that is not a problem. If your employment contract is outside the UK, but not in EEA, then there should be a transfer mechanism in place, like standard contractual clauses or binding corporate rules that should be signed between the UK company and your employer.
Please find more links here (references are for EU GDPR, but the text is the same):
- Chapter V GDPR - Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
- Article 46 GDPR - Transfers subject to appropriate safeguards: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
- Article 47 GDPR - Binding corporate rules: https://advisera.com/gdpr/binding-corporate-rules/