Search results

ISO 14001 benefits

The standard way of answering your question can be a mix of topics from these articles - 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/ and - ISO 14001: The benefits for customers - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/ - you can use one or more topics from the articles to support your proposal.

Can your organization win new clients that demand ISO 14001 certification? Can your organization reduce costs due to a systematic improvement of environmental issues? For example, while implementing an environmental management system I was able to reduce costs, and improve productivity, by changing to water-based adhesives instead of solvent-based ones or reduce energy consumption due a systematic attack on compressed air leaks or reduce cost with waste disposal due to better segregation and different and better destinations instead of just dumping in a landfill. If you can attach money to your promise, you can make them see ISO 14001 as an investment, what can be earned in return for an implementation cost.

You can find more information below with more detailed answers:

• Project checklist for ISO 14001 implementation - https://info.advisera.com/14001academy/free-download/project-checklist-for-iso-14001-implementation
• ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 9001 external documents

thank you

CSP - CSC - end user in iso 27017

In this scenario, Company A needs to be considered both cloud service customer and cloud service provider.

This happens because company A needs to fulfill customers’ requirements related to cloud security (in this case it acts as a cloud provider), and at the same time it needs to enforce these requirements, and its own, on its suppliers (in this case it acts as cloud customer).

This article will provide you a further explanation about ISO 27017:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

Performing Risk management according to ISO 27005

ISO 27005 is a supporting standard to ISO 27001, detailing how to implement risk management for information security (basically covering ISO 27001 clauses 6.1.2 and 6.1.3).

Considering that, general steps for risk assessment and treatment are:

• Definition of a risk assessment and treatment methodology
• Performing of risk assessment (risk identification and risk analysis)
• Performing of risk treatment (risk evaluation and controls selection)
• Elaboration of a risk treatment report
• Elaboration of Statement of Applicability (SoA)
• Elaboration of Risk Treatment Plan and acceptance of residual risks

This article will provide you a further explanation about implementing risk management:

•  ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will provide you a further explanation about implementing risk management:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

If you want to see how a risk management process compliant with ISO 27005 looks like, I suggest you take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

ISO 9001 non-conformities

Non-conformities can be about:

• The product or service
• Process performance
• System conformance
   

Non-conformities derived about the product or service are detected during quality control activities or following a complaint.

Non-conformities derived about process performance are detected during analysis and evaluation of process performance data.

Non-conformities derived about system conformance are detected during internal audits or during management review.

The following material will provide you information about nonconformities:

• ISO 9001 – Understanding dispositions for ISO 9001 nonconforming product - https://advisera.com/9001academy/blog/2014/11/18/understanding-dispositions-iso-9001-nonconforming-product/
• ISO 9001 - ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/ ion/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

ISO 9001 non-conformities

I’m afraid your question is a symptom of a common mistake in quality management systems while treating product or service non-conformities.

When treating product or service non-conformities you must, it is mandatory, to eliminate the non-conformity (correction) and treat its consequences. And the timer is ticking, you should do that as fast as possible to prevent unintended use:

Once eliminated the non-conformity you should evaluate your current practices. That is why I recommend using the SDCA cycle from Shoji Shiba.

You have a standard (S) way of doing things, written or unwritten, it is the way your organization works. You do the work (D) according to the standard and you check (C) the results. And you detect non-conformities. And you treat the non-conformities. After treating the non-conformities, the urgency stops, and you think about your standard way of doing things:

You ask should we improve, or should we keep the current standard? If your organization decides that can live with the current performance there is no need for corrective action, you continue in the SDCA cycle. If, when you ask if the improvement is needed, you realize that it is a systematic failure, there is a trend or a serious situation, you are concluding that the situation calls for improvement. That means, you can no longer trust your current standard, you must jump into the PDCA cycle to develop corrective action, an action to eliminate the cause(s) of the non-conformity.

If your organization considers that the situation is “beyond our control” you are concluding that no corrective action is needed. However, I would prefer writing “No corrective action needed” instead of “beyond our control”. I worked as a quality manager in a manufacturing plant more than 25 years ago and we had problems with power failure, we picked the priority machines and established an emergency supply operation with diesel generators.

Please search for the "Deming funnel tampering" about the problem of tampering with a system, when one tries to improve a system after each non-conformity. 

You can find more information below:

• Free webinar on-demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Question for ISMS ISO 27001

First is important to note that risk does not need to have a dedicated risk owner. A risk owner can be responsible for multiple risks. I’m assuming you wanted to say that risk needs to have a single owner.

Regarding your question, ISO 27001 does not prescribe that risk owners need to be part of the ISMS scope, so this person can be someone from outside the scope, but you need to ensure that this person has approved management responsibility, accountability, and authority for managing the risk.

This article will provide you a further explanation about risk owners:

• Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

This material will also help you regarding risk management:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

ISO 27001 questions

First of all, sorry about this misunderstanding.

Based on the auditor's findings, the certification body can remove or cancel your certificate.

In the situation the auditor identifies nonconformities, the organization will have a defined time to solve them. In case nonconformities are not solved in a defined time the certification will be suspended, and after an additional time has passed without a solution, then the certification will be canceled.

ISO 9001 3 metods

Using a formal communication plan stating what to communicate to whom, by who, with what frequency, and how.

Starting the day with a morning meeting on the shop floor where every person can ask questions.

Create a set of Slack teams to communicate and give feedback.

You can find more information below:

• Communication requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/11/01/communication-requirements-according-to-iso-9001-2015/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Design and development process

Yes, clause 7.3 is applicable for you. It means that you must have documented procedure for the Design and development, and a form where you will fulfill changes that you have made, how you validate those changes and you transfer it to the production.

For more information please see the following links:

• How to manage design and development of medical devices according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/08/24/how-to-manage-design-and-development-of-medical-devices-according-to-iso-134852016/
• Design and development validation and verification according to ISO 13485 https://advisera.com/13485academy/blog/2019/02/14/design-and-development-validation-and-verification-according-to-iso-13485/

On the following link you can see the preview of documents regarding the design and development from our ISO 13485:2016 Documentation toolkit:

• Procedure for design and development https://advisera.com/13485academy/documentation/procedure-for-design-and-development-iso-13485-2016/
• Design and development file https://advisera.com/13485academy/documentation/design-and-development-file-iso-13485-2016/
• Design and development transfer record https://advisera.com/13485academy/documentation/design-and-development-transfer-record-iso-13485-2016/
• Change review record https://advisera.com/13485academy/documentation/change-review-record-iso-13485-2016/