Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Policy vs. standard
- There is no absolute difference since there is no absolute definition of these two. Generally, the policy defines certain intention and gives direction, whereas a standard specifies a standardized way of doing something.
Would an organization have a standard and policy co-existing?
- Yes, although a standard is not very often - more often you would see a policy and procedures co-existing.
For example, would there be an Asset Management standard and an Asset Management policy coexisting? Or as another example, an Access Control Standard and a Password Policy?
- Yes, this is possible, although more often you would have Asset Management Policy and then Asset Management Procedure.
Another dilemma question I have is is it a good idea for an organization to have fairly complex ICT Security Policy (with sub-policies within in, for example, this single document would have acceptable us e, intranet, shared drive, email usage etc covered in it).
- I don't think this is a good idea because it will be very difficult to maintain such a document, and even more difficult for users to read and understand this policy. Much better solution is to have separate policies which describe certain areas - read this article for more explanation: https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
Because some subparts of this policy may not be relevant to the end user and hence we should take into consideration the question do we publish this to an incumbent user to read it and sign it, when we some sub-parts do not apply to the user.
- When you have separate policies, you send only relevant policies to users, not all policies; further, it is not mandatory for them to sign them - it is enough you have some kind of a proof they have received them (e.g. through Document Management System)
That brings another question up, is it good practice to have two versions of a policy one for general user use (used @ induction and to which the user signs to abide by during the employment period) and another one for high-level use?
- No, redundancy in documentation brings only problems - again, you should create separate documents for certain areas. -
Scope of the QMS - our document
Answer:
The chapter 3.1 refers to the processes inside your company that are included in the scope of the quality management system, if we take your example it can be something like this:
"The processes of our company that are included in scope of the QMS are:
Purchasing
Sales
Production of nuts and bolts
Warehousing
Transportation"
In the section 3.2 you need to write the products and services your organization provide that are included in the scope of your QMS:
"Our Quality Management System covers production and delivery of nuts and bolts."
In the section 3.3 you need to describe what units and functions are included in the scope and how they are separated from the ones that are not included in the scope. To expand your example, let's say that the company produces not only nuts and bolts but also screwdrivers and production of screwdrivers is excluded form the QMS scope. In that case, you need to write something like this:
"Scope of our quality management system covers purchasing and sales department, department for production of nuts and bolts and transportation department. Department for screwdrivers production is not inside the scope of the QMS and it is divided in the separate facility on another location"
The chapter 3.4 requires you to define all locations of your company that are included in your QMS scope, for example:
"Administrative building, 123 boulevard, New York
Production facility, 456 street, Boston"
The chapter 3.5 requires you to list organizational elements (units, departments, processes, etc.) that are excluded from the scope. In our example it would be:
"Accounting
Production of screwdrivers"
For more information read this article:
- How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/ -
Processes vs. Departments
Answer:
Every department has processes that are their responsibility. For example the HR department is responsible for recruitment and for providing necessary training for employees. So, they may decide to create Procedure for Human Resources that will explain how they execute their processes but that is not mandatory by the ISO 9001.
For more information, see:
- Deciding Which Procedures to Document in QMS https://advisera.com/9001academy/blog/2013/11/26/deciding-procedures-document-qms/ -
Documentation for the context and risks and opportunities
Answer:
Actually, the ISO 9001:2015 doesn't explicitly requires you to create any documents regarding context of the organization and risks and opportunities, it will depend mostly on the size and type of the organization and complexity of your processes.
My recommendation for addressing requirements regarding context of the organization and risk and opportunities is to create some documents because it is much easier when it's done for the first time and, frankly, it will be much easier to demonstrate your conformance to the requirements to certification auditor.
For more information, see:
How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/05/26/how-to-identify-the-context-of-the-organization-in-iso-90012015/
The Role of Risk Assessment in the QMS https://advisera.com/9001academy/blog/2014/01/07/role-risk-assessment-qms/
List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015// -
ISO 9001 in outsourcing company
Answer:
Yes, ISO 9001 is definitely suitable for your type of business since it helps you demonstrate your ability to deliver quality products and services and also that you care about your customer satisfaction.
For more information see:
- Six Key Benefits of ISO 9001 Implementation https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/ -
One department in scope of ISO 9001:2015
Answer:
Yes, you can have only one department of our organization within the scope of your quality management system, you only need to state that clearly in your document about QMS scope. Once you decide to go for ISO 9001 certification you will receive the certificate that refers only to that department.
For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/ -
Internal and external issues and risks and opportunities prioritization
Answer:
Internal and external issues differ from organization to organization but there are some that are common for all organization. Internal issues can be the organizational structure, the culture of the organization, issues related to your employees (current competence vs needed competence, their needs and expectations, etc), issues related to technology and equipment your organization use, etc.
External issues are related to the external environment in which the company operates, this can be economical and political situation in your country, legislation, but also needs and expectations of external interested parties such as your supplier, subcontractors, customers, etc.
Determining internal and external issues is closely related to the identification of needs and expectations of interested parties and that can be e asier and can provide you with inputs on what to consider when addressing internal and external issues. There is no formal requirement to document context of the organization but it can be very useful to do so when you are doing it for the first time.
For more information, see:
- How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/05/26/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- How to determine interested parties and their requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
The crucial step in identifying risks and opportunities is to properly determine context of the organization. Once you have this information you can start thinking about the risks and opportunities regarding your QMS. There is no single way to prioritize risks and opportunities but you should start with risks and opportunities that are directly affecting quality of your products and services and customer satisfaction, or start with ones that require least resources and time and can be resolved easily. Important thing is to make plan to address risks and opportunities, meaning to define resources, responsibilities and actions to address each risk and opportunity.
For more information, see:
- Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
- The Role of Risk Assessment in the QMS https://advisera.com/9001academy/blog/2014/01/07/role-risk-assessment-qms/ -
Where to start with ISO 9001:2015 implementation
educational institution (University), so I want advice I started with
reading the mandatory documents & records but does it right to start with
that? and if not where should I start.
Answer:
The first step is to do a GAP analysis, meaning to compare your current state with requirements of the standard. Identifying mandatory documents is only a part of this step but a very good one. So beside determining mandatory documents, I suggest you to do a GAP analysis and find out what other requirements you need to meet. Than you can make a project plan to fill in the gaps and make your department compliant with the standard.
For more information see:
- List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/ -
After certification
Answer:
After the initial certification you will have surveillance audits in the next year, in the year after that you will have recertification audit. Surveillance and recertification audits are not so different from the certification audit and they usually cost almost the same.
For more information, see:
- How to deal with nonconformities in an ISO 9001 certification audit https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
- ISO 9001 Certification https://advisera.com/9001academy/iso-9001-certification/
- How should you pick an ISO 9001 certification body? https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
Risks in ISO 9001:2015
ISO 9001:2015 sólo te obliga a analizar riesgos en tu Sistema de Gestión de Calidad, no te obliga a gestionar riesgos de manera activa, y hay muchas maneras de analizar riesgos en tu negocio. Este artículo te resultará interesante Methodology for ISO 9001 Risk Analysis : https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
Por cierto, ISO 31000 es un código de buenas prácticas que puedes usar para desarrollar tu propia metodología (este estándar es para cualquier tipo de riesgo). Tu puedes comprar y descargar la ISO 31000 desde el sitio oficial de iso.org: https://www.iso.org/standard/43170.html