Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment, process control and management review in QMS
Answer:
Risk assessment in classical terms is not required by ISO 9001:2015, the only thing the standard requires is risk-based thinking. The standard does not require full scale risk management, or risk assessment methodology, the standard only requires organizations to identify risks and opportunities related to its ability to achieve its objectives and to create plans for addressing them. To meet the requirement for addressing risks and opportunities, it is enough to arrange the brainstorming session with relevant roles in your company and talk about risks and opportunities emerging form internal and external context of the organization. For more information, see: The Role of Risk Assessment in the QMS https://advisera.com/9001academy/blog/2014/01/07/role-risk-assessment-qms/
Process control is basically the activity or set of activities that will ensure that the process will deliver expected outputs. The controls may be engineering or technologica l meaning that some crucial parameter of the process will be controlled by using some technological solution or it can be administrative, meaning that the organization will prescribe the procedure or work instruction to ensure that the process is carried out as planned. Depending on the nature of the process and the nature of the process output the controls may vary. Here is the example of the control of purchasing process: How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
The purpose of the management review is to make assessment of the entire QMS and make decisions to improve the system. Similar to the previous version of the standard, the new version also requires records of management review and the standard also prescribes mandatory inputs and outputs of the management review. For more information, see: How to make Management Review more useful in the QMS https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/ -
Approval of documents and risks
If you mean to approve the risks in a review meeting, for me it is ok, if it is performed before the implementation of the risk treatment plan, and obviously the risk owners are present, and you can maintain the minutes as evidence to show approval.
For more information about the risk assessment and treatment, this free webinar can be interesting for you “The basics of risk assessment and treatment according to ISO 27001” : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Documenting scope without quality manual
Answer:
The quality manual is no longer mandatory according to ISO 9001:20015, if you decide not to have such document any more, you can create the document that only defines the scope of your Quality Management System. Here is the free preview of our Scope of Quality Management System https://advisera.com/9001academy/documentation/scope-of-quality-management-system/
The key processes and procedures are no longer explicitly required to be documented. The new version of the standard requires organization to determine the sequence and interaction of the processes and to document them to the extent necessary to have confidence that the processes are being carried out as planned. This means that you don't have to document everything, only the processes and activities that are critical and can have nonconformities.
That is the reason why we deci ded to keep the Quality Manual as a part of our documentation toolkit, although it is not a mandatory document, it provides a framework for fulfilling lot of different requirements in one single document.
For more information, see:
- The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/ -
Exclusion of clause 7.5.2 from ISO 9001:2008
Answer:
If you are only selling the fire extinguisher products, this clause would easily be excluded, however servicing of the fire extinguishing products includes testifying that they are safe for use and are working properly. This is usually done through validation and verification processes.
Validation is performed in cases when the verification can't be conducted and when it is not possible to confirm by measurement that a product or service satisfies customer request or it is not possible to conduct measurement, since product or service is being destroyed in the process .
If you have such situation, then you can not exclude the clause 7.5.2, otherwise it can be excluded, only the company needs to provide justification for the exclusion in the Quality Manual.
For more information, see:
- Understanding Product & Service Provision in ISO 9001 https://advisera.com/9001academy/blog/2014/10/07/understanding-product-service-provision-iso-9001/ -
Training effectiveness and job descriptions
1. Is it a must for the manager to fill a report evaluating the effectiveness of a training program attended by his employee?
2. Is it an ISO 9001:2015 requirement to have job descriptions for all the staff?
Answer:
1. The manager doesn't have to conduct evaluation of the training effectiveness, the evidence of the effectiveness can be the certificate about passing an exam or the effectiveness can be evaluated by other employees that already have competence required. For example if you send an employee to learn how to operate some machine, the other employee that already operates the machine can confirm that the newly trained employee is competent of operating the machine.
2. No, the ISO 9001:2015 does not explicitly requires organizations to have job descriptions for all the staff, however it is a good starting position for identifying needs for training.
For more information, see:
- Improving quality through effective training https://advisera.com/9001academy/blog/2014/12/09/improving-quality-effective-training/ -
Understanding context of the organization
Answer:
Understanding context of the organization includes identifying all internal and external issues that can affect ability of the organization to achieve its objectives. Internal context may include organizational structure, organizational culture, human resources, condition of the equipment, etc. External issues may be conditions on the market, relevant legislation, tax policy, competitors, etc.
Identifying interested parties and their needs and expectations is part of determining context of the organization. Interested parties also may be internal and external and they also should be observed in sense of how they influence the organization. Once the organization determines what are the relevant interested parties, the organization must determine their needs and expectations related to the organization.
For more information, see:
- How to identify the context of the organization in ISO 9001 :2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- How to determine interested parties and their requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/ -
Documents and records serial number
Answer:
New version of the standard has the same rules for documents and records and they are all treated as documentd information.
The reason for assigning the serial number to documents and records within the QMS is that the ISO 9001 standard requires documented information to have identification and description and this includes title, date, author or reference number. The serial number is not an explicit requirement of the standard, however, it facilitates identification of the documents and records.
For more information, see:
- New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ -
General board level governance document that the non IT Director can understand
Answer:
According to ISO 27001, the top-level document that is intended for executives is the Information Security Policy - this is not a detailed document with all the security rules, but a document that sets general responsibilities, and defines a way to measure the information security performance. To measure the performance, you have to set the general information security objectives, and then measure if those objectives have been achieved.
These articles will help you:
- Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
Validity of the ISO27001 Certificate from Advisera
Thanks a lot! Great news -
Scope for a company that provides IT services outsourcing
Answer:
From my point of view, such information should be included in the ISMS scope, and therefore risk management should be performed for that information. This article about the scope can be interesting for you "How to define the ISMS scope" : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
By the way, there is an standard related to the information security in the cloud, which is ISO 27017, so this article can be interesting for you “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
Finally, maybe our online course about foundations of ISO 27001 can be interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/