Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Document Control

    Besides the requirements you mentioned, the document control process also needs to consider appropriate:

    • identification and description
    • format and media
    • review and approval
    • control to ensure availability and suitability for use
    • protection

    This article will provide you a further explanation about document control:

    This material will also help you regarding document control:

  • SWOT analysis and management structure in ISO 9001

    “I want to understand the frame / process that is followed in creating an ISO management documentation - are you able to provide a structure.”

    In this article, you see the most common frame used to describe a quality management system (QMS) documentation - How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/

    It starts with the quality policy, the most high-level document in a QMS, continues with a quality manual, no longer mandatory with ISO 9001:2015, but still considered useful by most organizations to present a general description of the management system. For example, I recommend designing the quality manual based on the process mapping exercise of clause 4.4.1 b). Then come the procedures where we can describe what is done in the QMS, by whom, and when. When it is needed a more detailed description about how to do something in the QMS we use work instructions. At the base, we have forms that, once filled in, become records. We have also other records not generated by filling a form. For example, an e-mail sent by a customer with a complaint becomes a record.

    Procedures and work instructions are not mandatory. Please check clause 4.4.2. Each organization can consider a list of topics when thinking about what procedures are needed or not. Consider that procedure may be useful or needed because of:

    • The complexity of tasks – complex tasks are more prone to errors and mistakes;
    • Staff rotation – if staff rotation is high, people have not much experience and a procedure that someone can use as a guide in case of doubt is very useful;
    • Staff training – if staff training is very poor
    • Performance – if performance results show a bad performance perhaps procedures can help people in their work
    • Complaints – a particular case of performance
    • Requirement – if a law, or a standard, or a contract requires a procedure.
       

    “Also, I liked that a SWOT analysis is carried out.  Is a SWOT always carried out?"

    Carrying out a SWOT analysis is not mandatory. So, organizations may not use it. In this free webinar-on-demand, I show how the SWOT analysis can be used - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar/

    You can find more information about context, documents, and records below:

  • Conformio risk register, confused by some of the threat mappings for Human Resources

    Please note that the mentioned threats (Earthquake / Fire / Flood / Storm) can cause injuries on employees (making them unable to work), or preventing them from reaching the workplace, and if there is no replacement person to perform activities the business will be negatively impacted.

    This article will provide you a further explanation about matching assets, threats, and vulnerabilities:

    This material will also help you regarding matching assets, threats, and vulnerabilities:

  • Clause 8.5.4 Preservation

    Sometimes to ensure product or service conformity organizations must control and prevent situations that lead to deterioration, loss, theft, end of validity, tampering, and so on.

    For example, raw materials while at a warehouse may be deteriorated due to high or low temperatures, or the level of humidity may be lost due to animal contamination or mixing with other substances. During manufacturing, dust or other types of contamination may generate product nonconformities. The finished product may be lost because temperature and humidity are not controlled, or handling is not well suited (remember the warning phrase “Fragile” in packaging). Finished products may also be lost due to bad practices at the warehouse, new batches are shipped before old batches until validity time is run-up.

    For example, at a restaurant consider temperature and contamination control to avoid food deterioration. An IT service provider considers measures to preserve the server’s performance. A university considers what should be done to ensure that exams are not disclosed.

    So, in your organization’s case look for situations like these and think about what should be done to prevent them.

    You can find more information below:

  • Linking the external/internal issues and interested parties to the risk and opportunities

    ISO 27001 does not require an explicit identification/link between external/internal issues, interested parties, risks, and opportunities, so this issue is not a certification requirement.

    The standard only requires that external/internal issues, interested parties are determined.

    These articles will provide you a further explanation about internal/external issues and interested parties:

  • Needs and Expectations of Interested Parties

    If you investigate Annex A.3 from ISO 9001:2015 you can read in its last paragraph:

    “It is for the organization to decide if a particular requirement of a relevant interested party is relevant to its quality management system.”

    So, determining the needs and expectations of a particular interested party is not an exercise to be done in the abstract. It must be grounded on each organization’s reality and its purpose and strategic direction. Two similar organizations on the outside, due to different strategic orientations may hope to work and satisfy different segments within a generic group of interested parties.


    Some examples can be:
    Investors

    • Want to get a return on their investment
    • Want reliability of external context
    • Want reliable and frequent information

    Regulators

    • Want that compliance obligations are dully communicated and respected

    Your list is very long, and I cannot provide detailed information here. Remember, ISO 9001:2015 uses the word determine, not the word identify. Identify means that they exist independently of the observer, and the observer's work is to find them. Determine means that the observer, considering strategic orientation and context, decides what is relevant. It is a management decision, not a technical decision.


    Please, check this free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar/ - where you can see examples of context and interested parties analysis.


    You can find more information below:

  • The best simplify way of carrying out ISO audit

    I gather you are referring to an ISO 17025 internal Audit?

    In that case, the person performing the audit needs to know what the Scope of work is (what tests or calibrations are accredited, is sampling included etc) and what processes are involved. Thereafter the audit criteria (the requirements being assessed) need to be documented. The simplest way to achieve this is to use a suitable checklist. This could be your own checklist based on the ISO 17025, however the most straightforward approach is to use the accreditation bodies checklist (which they use for their assessments) or the Advisera toolkit. Witnessing and vertical assessment should also be performed.

    For further information see the article ISO 17025 technical internal audit: The basics

    at https://advisera.com/17025academy/blog/2020/11/10/iso-17025-technical-internal-audit-the-basics/

    The following will provide more information:

    ISO 17025 document template: Internal Audit Procedure at https://advisera.com/17025academy/documentation/internal-audit-procedure/

    The Five Internal Audit Procedure appendices Internal Audit Program, Internal Audit Checklist, Audit Nonconformity Report, Internal Audit Process Checklist and Internal Audit Report available separately from the procedure link above; or included in the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

  • Register of Legal, Contractual, and Other Requirements - how detailed?

    1 - Do I list each requirement separately or put all 30 of the items in the "Description of the requirement" field?

    The way of handling this situation will depend on who will be responsible for fulfilling the requirements. If a single role will be responsible for all requirements, then you can include a single register. In case the specific requirements are to be treated by different roles (e.g., there are privacy requirements, continuity requirements, compliance, requirements, etc.), that it is better to split the requirements into different records.

    To not make the description excessively long, you can only identify a clause instead of including all of its text.

    2 - Do I limit the items to just those that are security related ?

    For ISO 27001 compliance purposes you only need to include the requirements related to information security.

    3 - Most of our customers are banks , and we fill out a SIG that has 100's of security related questions, it seems impractical to list all of these in the register for each customer.

    Suggestions?

    In cases like this one you only need to refer to the customer Standardized Information Gathering (SIG). You do not need to include in the platform each question, only the reference to the document that contains them so that the person responsible for fulfilling them can know where to find them.

  • Recommendations on Security Awareness and Training

    1 - How do I get this going in my company?

    The first thing you need to do is identify which gaps of incompetence you have (i.e., which knowledge, or skills your employees need to have). Some examples are:

    • Use of passwords
    • Backup operation
    • Software installation and patching
    • Performing of internal audit

    Second, you need to define the method to be applied: training sessions, workshops, newsletters? What will work best for your company? On which frequency to perform them (e.g., weekly, monthly, annually?)

    After that, you need to evaluate if these gaps can be fulfilled by internal personnel, or you will need external support.

    Once you have these answers, you can start defining your training and awareness plan.

    These articles will provide you a further explanation about awareness:

    This material will also help you regarding awareness:

    2 - What will the auditor be looking for in this requirement?

    For clause 7.2 (competence), the auditor will be looking for evidence that you have:

    • determined which security competencies are necessary
    • identified gaps in knowledge, skills, and/or experience in information security related to activities that employees need to perform (e.g., secure development skills for the development team)
    • performed actions to fulfill those gaps (e.g., by means of training attendance lists, certificates, etc.) and verified that those actions were effective.  

    For further information, see:

  • Risks treatment

    Please note that “documents regarding risk treatment” can mean documents related to ISO 27001 clauses 6.1.3 and 8.3), and documents related to ISO 27001 Annex A.

    Documents related to clauses 6.1.3 and 8.3 cannot be ignored because they are mandatory documentation. You need to develop them to be compliant with the standard. You need to document the results of risk treatment, even if you already have implemented controls. Documents required by these clauses are:
    - Risk treatment plan (clauses 6.1.3 e, 6.2, and 8.3)
    - Risk assessment report (clauses 8.2 and 8.3)

    Regarding ISO 27001 Annex A, some controls, when defined as applicable, also require documents to be written:
    - Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
    - Inventory of assets (clause A.8.1.1)
    - Acceptable use of assets (clause A.8.1.3)
    - Access control policy (clause A.9.1.1)
    - Operating procedures for IT management (clause A.12.1.1)
    - Secure system engineering principles (clause A.14.2.5)
    - Supplier security policy (clause A.15.1.1)
    - Incident management procedure (clause A.16.1.5)
    - Business continuity procedures (clause A.17.1.2)
    - Statutory, regulatory, and contractual requirements (clause A.18.1.1)

    In case you have implemented any of the abovementioned controls you need to develop related documents. For other controls no documentation is defined as mandatory, and you do not need to develop documents for them.

    This article will provide you a further explanation about risk management and mandatory documents:
    - ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    These materials will also help you regarding risk management:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
Page 150-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +