Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Documenting scope without quality manual
Answer:
The quality manual is no longer mandatory according to ISO 9001:20015, if you decide not to have such document any more, you can create the document that only defines the scope of your Quality Management System. Here is the free preview of our Scope of Quality Management System https://advisera.com/9001academy/documentation/scope-of-quality-management-system/
The key processes and procedures are no longer explicitly required to be documented. The new version of the standard requires organization to determine the sequence and interaction of the processes and to document them to the extent necessary to have confidence that the processes are being carried out as planned. This means that you don't have to document everything, only the processes and activities that are critical and can have nonconformities.
That is the reason why we deci ded to keep the Quality Manual as a part of our documentation toolkit, although it is not a mandatory document, it provides a framework for fulfilling lot of different requirements in one single document.
For more information, see:
- The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/ -
Exclusion of clause 7.5.2 from ISO 9001:2008
Answer:
If you are only selling the fire extinguisher products, this clause would easily be excluded, however servicing of the fire extinguishing products includes testifying that they are safe for use and are working properly. This is usually done through validation and verification processes.
Validation is performed in cases when the verification can't be conducted and when it is not possible to confirm by measurement that a product or service satisfies customer request or it is not possible to conduct measurement, since product or service is being destroyed in the process .
If you have such situation, then you can not exclude the clause 7.5.2, otherwise it can be excluded, only the company needs to provide justification for the exclusion in the Quality Manual.
For more information, see:
- Understanding Product & Service Provision in ISO 9001 https://advisera.com/9001academy/blog/2014/10/07/understanding-product-service-provision-iso-9001/ -
Training effectiveness and job descriptions
1. Is it a must for the manager to fill a report evaluating the effectiveness of a training program attended by his employee?
2. Is it an ISO 9001:2015 requirement to have job descriptions for all the staff?
Answer:
1. The manager doesn't have to conduct evaluation of the training effectiveness, the evidence of the effectiveness can be the certificate about passing an exam or the effectiveness can be evaluated by other employees that already have competence required. For example if you send an employee to learn how to operate some machine, the other employee that already operates the machine can confirm that the newly trained employee is competent of operating the machine.
2. No, the ISO 9001:2015 does not explicitly requires organizations to have job descriptions for all the staff, however it is a good starting position for identifying needs for training.
For more information, see:
- Improving quality through effective training https://advisera.com/9001academy/blog/2014/12/09/improving-quality-effective-training/ -
Understanding context of the organization
Answer:
Understanding context of the organization includes identifying all internal and external issues that can affect ability of the organization to achieve its objectives. Internal context may include organizational structure, organizational culture, human resources, condition of the equipment, etc. External issues may be conditions on the market, relevant legislation, tax policy, competitors, etc.
Identifying interested parties and their needs and expectations is part of determining context of the organization. Interested parties also may be internal and external and they also should be observed in sense of how they influence the organization. Once the organization determines what are the relevant interested parties, the organization must determine their needs and expectations related to the organization.
For more information, see:
- How to identify the context of the organization in ISO 9001 :2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- How to determine interested parties and their requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/ -
Documents and records serial number
Answer:
New version of the standard has the same rules for documents and records and they are all treated as documentd information.
The reason for assigning the serial number to documents and records within the QMS is that the ISO 9001 standard requires documented information to have identification and description and this includes title, date, author or reference number. The serial number is not an explicit requirement of the standard, however, it facilitates identification of the documents and records.
For more information, see:
- New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ -
General board level governance document that the non IT Director can understand
Answer:
According to ISO 27001, the top-level document that is intended for executives is the Information Security Policy - this is not a detailed document with all the security rules, but a document that sets general responsibilities, and defines a way to measure the information security performance. To measure the performance, you have to set the general information security objectives, and then measure if those objectives have been achieved.
These articles will help you:
- Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
Validity of the ISO27001 Certificate from Advisera
Thanks a lot! Great news -
Scope for a company that provides IT services outsourcing
Answer:
From my point of view, such information should be included in the ISMS scope, and therefore risk management should be performed for that information. This article about the scope can be interesting for you "How to define the ISMS scope" : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
By the way, there is an standard related to the information security in the cloud, which is ISO 27017, so this article can be interesting for you “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
Finally, maybe our online course about foundations of ISO 27001 can be interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Appendix Clarification
For example, procedure for documents and records defines what records are used when the procedure is applied and all those records are listed in the section 4 together with other information relevant for each record such as location, retention time, owner of the document and so on -
Owners of multiple assets
Answer:
Asset owner should be a person who will be responsible for the information that is stored on that asset - so in case of laptops in your company, you could write that the owner is "A person who uses each laptop"; in some cases I've seen companies defining that the owner of all the laptops in a company is the IT department.