Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Exclusion of clause 7.5.2 from ISO 9001:2008


    Answer:

    If you are only selling the fire extinguisher products, this clause would easily be excluded, however servicing of the fire extinguishing products includes testifying that they are safe for use and are working properly. This is usually done through validation and verification processes.

    Validation is performed in cases when the verification can't be conducted and when it is not possible to confirm by measurement that a product or service satisfies customer request or it is not possible to conduct measurement, since product or service is being destroyed in the process .

    If you have such situation, then you can not exclude the clause 7.5.2, otherwise it can be excluded, only the company needs to provide justification for the exclusion in the Quality Manual.

    For more information, see:
    - Understanding Product & Service Provision in ISO 9001 https://advisera.com/9001academy/blog/2014/10/07/understanding-product-service-provision-iso-9001/

  • Training effectiveness and job descriptions

    1. Is it a must for the manager to fill a report evaluating the effectiveness of a training program attended by his employee?
    2. Is it an ISO 9001:2015 requirement to have job descriptions for all the staff?

    Answer:

    1. The manager doesn't have to conduct evaluation of the training effectiveness, the evidence of the effectiveness can be the certificate about passing an exam or the effectiveness can be evaluated by other employees that already have competence required. For example if you send an employee to learn how to operate some machine, the other employee that already operates the machine can confirm that the newly trained employee is competent of operating the machine.

    2. No, the ISO 9001:2015 does not explicitly requires organizations to have job descriptions for all the staff, however it is a good starting position for identifying needs for training.

    For more information, see:
    - Improving quality through effective training https://advisera.com/9001academy/blog/2014/12/09/improving-quality-effective-training/

  • Understanding context of the organization


    Answer:

    Understanding context of the organization includes identifying all internal and external issues that can affect ability of the organization to achieve its objectives. Internal context may include organizational structure, organizational culture, human resources, condition of the equipment, etc. External issues may be conditions on the market, relevant legislation, tax policy, competitors, etc.

    Identifying interested parties and their needs and expectations is part of determining context of the organization. Interested parties also may be internal and external and they also should be observed in sense of how they influence the organization. Once the organization determines what are the relevant interested parties, the organization must determine their needs and expectations related to the organization.

    For more information, see:
    - How to identify the context of the organization in ISO 9001 :2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
    - How to determine interested parties and their requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/

  • Documents and records serial number


    Answer:

    New version of the standard has the same rules for documents and records and they are all treated as documentd information.

    The reason for assigning the serial number to documents and records within the QMS is that the ISO 9001 standard requires documented information to have identification and description and this includes title, date, author or reference number. The serial number is not an explicit requirement of the standard, however, it facilitates identification of the documents and records.

    For more information, see:
    - New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

  • General board level governance document that the non IT Director can understand


    Answer:

    According to ISO 27001, the top-level document that is intended for executives is the Information Security Policy - this is not a detailed document with all the security rules, but a document that sets general responsibilities, and defines a way to measure the information security performance. To measure the performance, you have to set the general information security objectives, and then measure if those objectives have been achieved.

    These articles will help you:
    - Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
    - ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

  • Validity of the ISO27001 Certificate from Advisera

    Thanks a lot! Great news

  • Scope for a company that provides IT services outsourcing


    Answer:
    From my point of view, such information should be included in the ISMS scope, and therefore risk management should be performed for that information. This article about the scope can be interesting for you "How to define the ISMS scope" : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    By the way, there is an standard related to the information security in the cloud, which is ISO 27017, so this article can be interesting for you “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

    Finally, maybe our online course about foundations of ISO 27001 can be interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Appendix Clarification

    For example, procedure for documents and records defines what records are used when the procedure is applied and all those records are listed in the section 4 together with other information relevant for each record such as location, retention time, owner of the document and so on

  • Owners of multiple assets


    Answer:

    Asset owner should be a person who will be responsible for the information that is stored on that asset - so in case of laptops in your company, you could write that the owner is "A person who uses each laptop"; in some cases I've seen companies defining that the owner of all the laptops in a company is the IT department.

  • Incident Management

    2. Quote 1 or 2 examples where in a user (Senior Management) has violated the ITIL process (E.g.: Incident/Change/Problem management-any scenario) and what are the consequences of it and how did you convince the user not to repeat it? Explain with an example as to what standards or procedures user had violated?
    3. Explain a situation/example where in you have breached an SLA for Critical incident and how did you convince the customer regarding the same:
    4. Difference between Post Incident Review and Post Implementation Review:
    5. What is the role of Incident manager in change management and problem management?
    6. What happens in CAB exactly and who all attends the CAB meeting in Change management.
    7. Quote few Ideas /improvements you provided to your process as an Incident Manager
    8. Please share an example of a time when you had to multi-task and make sound judgments in a fast-paced, high stress environment, while at the same time keep people informed?
    9. First, how would you handle communication to the senior level staff waiting for the problem to be solved? Second, if you found out the key person was just not answering the call to join the bridge, how would you handle the communication with the admin’s manager after the incident was resolved?
    10. Difference between Incident Co-Ordinator and Incident Manager

    Answers are as follows:
    1. If we assume that "critical" means incident of high priority the the usual challenges include: shorter resolution times, more focus from customer side, resolution must match what is realy expected..etc.
    2. Take, for example, members of the Board of Management (BoM). They are, usually, breaking standard procedures and require separate attention. We can argue whether this is right or wrong, but it's a fact. But, it happen often that their request get lost because they didn't follow the procedure. And that's your chance. Explain them that it would be more efficient that they do it "by-the-book" and that it's not your fault that you follow the established (e.g. Incident Management( process. read the article to get familiar how to talk to the management: https://advisera.com/20000academy/blog/2016/03/01/how-to-translate-itiliso-20000-language-into-business-language-understandable-by-your-management/
    3. Well, security issues are always easier to explain (meaning, when you have to do something, e.g. bring the whole system down, because of security risks). When you talk to the customer, use arguments which are their benefit (e.g. avoided financial loss)
    4. Post Incident Review will usually take place after major incident. That's your chance to learn something and prevent such future incidents. Post implementation review takes place after e.g. change implementation and you are validating whether new functionality fulfills requirements, whether you fulfilled financial and resource-related requirements...etc.
    5. First of all, incidents trigger problems and problems trigger changes. So, people responsible for the processes carry the responsibility for timing, efficiency and costs. Take it vice-versa, changes (as answer on "how to eliminate root-cause?") can cause new incidents. If that happens repeatedly, then the Incident Manager has to escalate with Change Manager regarding efficiency of the Change Management process.
    6. Please see the article: https://advisera.com/20000academy/knowledgebase/change-advisory-board-itil-advise-approve/
    7. e.g. to allow users to see log of the incidents (lower call volume to your Service Desk while asking for the status), for incidents of priority 1 (telecom industry) - parallel to opening incident user has to make a call. See more about improvement initiatives: https://advisera.com/20000academy/knowledgebase/service-improvement-plan-sake-improvements/
    8. Well, I would suggest to insist on tool usage. In such way information-flow reaches destinations and there is a log of all relevant data. Additionally, se defined hierarchy inside the /(ITSM) organization and insist on it.
    9. For the first question, see the article: https://advisera.com/20000academy/blog/2016/03/01/how-to-translate-itiliso-20000-language-into-business-language-understandable-by-your-management/ And for the second one try to use as many facts as possible. Particularly if there are tangible consequences (e.g. service outage has financial loss for the company as a consequence).
Page 1017-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +