Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Implementing risk management
Answer:
Implementing risk management exceeds the requirements of the ISO 9001 that only requires risk-based thinking. For implementing the risk management it is best to follow ISO 31000 that provides framework for selecting methodology, defining the scope and conducting risk management. The process of risk management includes several steps :
1. Establishing the context
2. Risk identification
3. Risk analysis
4. Risk evaluation
5. Risk treatment
6. Monitoring and review
For more information, see:
- Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
- The Role of Risk Assessment in the QMS https://advisera.com/9001academy/blog/2014/01/07/role-risk-assessment-qms/ -
Work breakdown structure for ISO audits
Answer:
According to PMBOK 5, a work breakdown structure is “A hierarchical decomposition of the total scope of work to be carried out by the project team to accomplish the project objectives and create the required deliverables”.
So, we do not have a specific structure of this type for the definition of the work to be carried out during an audit, because it is not necessary in ISO audits, but we have this article that can help you to develop your own checklist for an audit “How to make an Internal Audit checklist for ISO 27001/ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
By the way, our online course can be also interesting for you because we talk in detail about how to perform an internal audit “ISO 27001:2013 Internal Audit Course” : https://advisera.com/training/iso-27001-internal-auditor-course/
Finally, you can use the Work Breakdown Structure (WBS) for the implementation of complex security controls, so this article can be interesting for you "ISO 27001 project management: Implementing complex security controls using Work Breakdown Structure (WBS)" : https://advisera.com/27001academy/blog/2015/10/19/iso-27001-project-management-implementing-complex-security-controls-using-work-breakdown-structure-wbs/ -
Best practices in accessing business cloud applications
Answer:
Some best practices in accessing business cloud applications from mobile devices are:
- Use a secure channel for the connection (VPN, SSL, etc)
- Never store information related to your credentials of access in the device (avoid remember user/password in the device)
- Lock your device with a code, and also lock each app (above all the app that you use for accessing business cloud)
- Never share the device with another person
- Avoid Free public Wifi connections, or if you use one, be sure that your connection is protected by a secure channel (VPN)
By the way, we have a template related to the mobile devices, and although it is not mandatory in the standard ISO 27001, you can find it here “Mobile Device and Teleworking Policy” : https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/
We also have the template Bring You r Own Device (BYOD) Policy, and again it is not mandatory in the standard, but you can find it here “Bring Your Own Device (BYOD) Policy” : https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/
Maybe can be interesting for you the standard ISO 27017, which is specifically focused on the information security control for cloud services, so this article can be interesting for you “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
Finally, if you are interested in the security controls of ISO 27001, maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
ISO certification for SMME
Answer:
Since you are dealing with lot of different industries, you will have to make sure which ISO certificate does your client require. I will assume that it is ISO 9001:2015 certificate but the process is pretty much the same.
First you need to conduct the GAP analysis to determine to what extent you already meet the requirements of the standard and also what needs to be done in order to achieve the full compliance. Usually, you need to create additional procedures and records and to establish some new processes. Once you determine all activities that need to be done, you should create the Project Plan and define the deadlines, responsibilities and resources for each activity, this is nor a mandatory step but it will help you avoid missing something out. The next step is to implement all the activities and to conduct internal audit and management review to ensure that you are fully compliant with the standard. The final step is to hire certification body to conduct certification audit and issue you the certificate.
We offer documentation toolkits and free online courses for ISO 9001, ISO 14001 and ISO 27001 and together with the toolkit you will be entitled to online meetings with an expert that will help you in implementation, you can also ask unlimited number of questions via email.
Here are the links to our documentation toolkits:
- ISO 9001 Documentation Toolkit https://advisera.com/9001academy/iso-9001-documentation-toolkit/
- ISO 14001 Premium Documentation Toolkit https://advisera.com/14001academy/iso-14001-premium-documentation-toolkit/
- OHSAS 18001 Premium Documentation Toolkit https://advisera.com/18001academy/ohsas-18001-premium-documentation-toolkit/
- ISO 27001 & ISO 22301 Premium Documentation Toolkit https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/ -
ISO 9001:2008 and ISO/IEC 20000
Answer:
1. ISO 9001 (please note - current revision is 2015, see here https://advisera.com/9001academy/knowledgebase/iso-9001-2015-revision/) is general standard related to the quality management. Partially, it is applicable to IT organization i.e. services. However, ISO 20000 is standard related to the management of IT services and is more appropriate for IT orga nizations. So, it is excellent match for IT division. But, if you are large division, be careful with the scope of the implementation (see this article to learn more https://advisera.com/20000academy/blog/2015/06/02/how-to-define-the-scope-of-the-sms-in-iso-20000/)
2. Yes, ISO 20000-1 must be fully implemented.
3. Yes, there is a toolkit which covers all requirements in ISO 20000, you can find it here: https://advisera.com/20000academy/iso-20000-documentation-toolkit
No, we don't offer certification, we are not certification body (see here to learn more https://advisera.com/blog/2016/02/29/accreditation-vs-certification-vs-registration-in-the-iso-world/) -
Internal audits, KPIs and Management review according to ISO 9001:2008
I have prepared QMS manual by referring other documents and renewed certificate 9001:2008 but want to learn and do myself since company is not willing to spend money on my training for ISO MR.
Answer:
The best way to start is to examine the mandatory documents for ISO 9001:2008, here is the article that can be useful to you: List of Mandatory Documents for ISO 9001 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
Internal audit includes planning the internal audit, defining scope of the audit, audit criteria, conducting the audit and reporting on the results of the audit, for more information see:
- 13 Steps for ISO 9001 Internal Auditing using ISO 19011 https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
- Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- Writing a good QMS internal audit report https://advisera.com/9001academy/blog/2015/03/17/writing-a-good-qms-internal-audit-report/
The purpose of the KPIs is to tell you whether the process is delivering what you expect form it or not, it is usually some parameter that can be measured or monitored. Here is an article that can be helpful to you How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/ and the free preview of the document for defining and monitoring KPIs Matrix of Key Performance Indicators https://advisera.com/9001academy/documentation/matrix-key-performance-indicators/
Management review has inputs and outputs required by the standard and that is something that cannot be avoided, additionally you can add some other inputs and outputs, depending on the requirements of your top management. For more information, see:
- How to make Management Review more useful in the QMS https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/
- How to Make Management Review More Practical https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/
Here is the free preview of the record for management review that contains all necessary information Management Review Minutes https://advisera.com/9001academy/documentation/management-review-minutes/ -
Document control procedure -not a requirement but a recommendation
I feel there is something unclear or conflict. If it will control QMS and it is best practice, why ISO 9001:2015 dose not state it in the requirements
Answer:
You are correct, the standard no longer requires documented procedure for document or record control. The reason for that is simple, small companies wont have a burden of having too many documents and procedures because they don't need some complicated procedure for documents and records control while the companies that need such procedure will create it regardless of the fact that it is not required.
The requirements for managing documents (publishing, updating, withdrawal, etc.) remains pretty much the same, they only doesn't have to be documented, but it doesn't mean that they sho uldn't be.
Fore more information, see:
- New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ -
Ratifying documents
Answer:
"Ratify" means to make the document officially valid. In terms of ISO 9001, you need to withdraw all expired documents and issue new one with the new version number for each document. Also, for control of use of valid documents, we use List of Internal Documents https://advisera.com/9001academy/documentation/list-internal-documents/ where you have information about the valid documents, their name, version number and expiration time.
Also, all withdrawn documents must be labelled as such to avoid misuse and to make sure that the valid vesions of the documents are available on the place of use.
For more information, see:
- New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- How to structure quality management system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- Some Tips to make Document Control more useful for your QMS https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/ -
Defining quality objectives
Answer:
Quality objectives are goals that you set for your Quality Management System and they reflect what you want to achieve with your QMS. Quality objectives must be precisely defined to enable organization to evaluate level of their achievement, for example the objective "increase customer satisfaction" is not good objective, because it doesn't have time-frame and value, so you can't determine whether you achieved it or not. On the other hand, the objective "increase customer satisfaction for 20% in 2016" has aimed value and the time-frame so at the end of the 2016 you will be able to determine whether you achieved it or not.
The quality objectives must be measurable and timed and they have to be in line with the Quality Policy, for example your Quality Policy will state that your o rganization is committed to increasing customer satisfaction therefore your objective is to "increase customer satisfaction for 20% in 2016"
All the aspects of the QMS can be transformed into quality objectives, but the objectives must meet above mentioned criteria. System improvement is not easily transferred into objective, it is more like overall effect and achievement of the objectives. System improvement can't be measured as is, it can be sublimation of several different inputs, such as customer satisfaction level, number of customer complaints, number of nonconformities, etc.
For more information, see:
- Analysis of measuring and monitoring requirements in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/analysis-of-measuring-and-monitoring-requirements-in-iso-90012015/ -
How long should a company operate the ISMS before an internal audit takes place
Answer:
ISO 27001 does not specify this time frame, so basically as soon as you finish the implementation phase you should start your internal audit - this way the gaps in the implementation will be the most visible. You could repeat the internal audit a couple of months after the implementation, once a number of records is created.
You should start your certification audit only after you finish the management review (management review has to be done after the internal audit and before the certification audit), and after you close all the corrective actions. In prac tice, for smaller companies you could have 2 weeks of difference, while for larger companies you could have e.g. 2 months of difference between internal and certification audit.