Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Can ISO 27001:2013 be certified against multiple legal entities?

    It is possible to have a single certification for multiple companies, provided that the ISMS scope covers elements of all companies (e.g., processes, information, and/or locations). Of course, all entities will have to go through all certification process together.

    Adopting a single certificate for all entities or separate ones for each entity is a business decision, depending on their objectives and strategies, but in general, organizations adopt the model of one certification for each entity, because a change in an entity does not impact the certification of other entities.

    These articles will provide you a further explanation about scope definition:

    This article will provide an additional explanation about single certification for multiples entities (although it is about ISO 9001, the same concept applies to ISO 27001):

    These articles will provide you a further explanation about implementing ISO 27001:

    These materials will also help you regarding ISO 27001 implementation:

    To see how documents used to implement ISO 27001 looks like, please take a look at the free demo templates of our ISO 27001 Implementation Toolkit in this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  • ISO 14001 Risk assessment example

    Let us consider three sources of risk. Risk derived from processes, risk derived from products, and risk derived from the context and interested parties.

    https://www.screencast.com/users/ccruz5284/folders/Default/media/2dd2f971-acf2-4fd1-a9cf-d14fc93e17ee

    There is the risk that the operation of a wastewater treatment plan fails and due to that malfunction, the treated wastewater may have pollutants above legal limits.

    https://www.screencast.com/users/ccruz5284/folders/Default/media/ea1cabee-ad49-428f-a5de-d8fa967a3122

    There is the risk that product disposal at the end of life may not be done by the consumer according to legal practices.

    https://www.screencast.com/users/ccruz5284/folders/Default/media/0073681d-e4ee-4e0d-b1bf-2553b8f50149

    General public, society, is pressuring politicians to restrict the extraction of a raw material used by an organization. If that pressure succeeds the organization may find progressive difficulty in accessing that same relevant raw material.

    Please check this information below with more detailed answers:

     

  • ISO 9001 DI controls visibility

    No, you do not need to add DI controls visibly.

    What is the purpose of a version or date?

    Ensure that users know which version they are using and be able to verify that it is the latest version. How can users be sure that they are using the last version of the complaints policy? As long as they are using the digital version that is ensured. Some organizations use a message saying that a printed version is a noncontrollable copy and users should be aware of that risk.

    You can find more information about documentation below:

  • ISO 9001 questions

    "First question-What questions should be asked in accordance with iso 9001-2015 for internal audit examination at the teaching and student affairs department within the university?"

    Answer:

    Auditors carry out audits not because they want or like, but because they have customers, internal or external, who need an audit to be carried out. These clients, when awarding an audit, communicate three things to the auditor: the objectives of the audit; the scope of the audit and the audit criteria. The questions to be asked during an audit are based on the purpose of the audit and, above all, on the audit criteria. For example, ISO 9001: 2015 requires an organization to assess its customers' perception of their satisfaction. A set of questions can be asked around this topic: how to measure, how to analyze, and if it was done, and what were the conclusions, and what were the decisions, and what evidence can be presented.

    Second question- There will be risks in teaching, practice and student affairs at the university.Please share to learn more.

    Answer:

    Think about what can go wrong. For example, a teacher becomes ill and needs to be replaced with the least amount of damage to student learning. For example, some newspaper articles convey a positive image of the school, which makes the enrollment of new students drop sharply.

    Third question-What topics and topic to study if implementing the quality assurance path under iso 9001-2015 at the university? "

    Answer:

    Two important topics are around clause 4.2 and 4.4.

    About clause 4.2 - Who are the interested parties of the university? What do they need and expect from the university? For example, there are universities known to be easy to pass, there are universities known to excel at a certain topic. That depends on the target interested parties.

    About clause 4.4 – Study the process approach and draw a model of how the university works. ISO 9001:2015 promotes the process approach, but many people don’t get it.

    You can find more information below:

  • ISO 14001 objectives for consultants

    Before setting objectives, organizations have to define an environmental policy. A good environmental policy considers the scale and environmental impacts of its activities, products, and services. So, the relevant environmental objectives of an organization must be based on significant environmental impacts.

    Once I implemented an environmental management system at a consulting company, for that particular organization their biggest environmental impact was related to consultants' travel to projects with clients.

    You can find more information below:

  • Importance of the security issues

    Please note that there is no single answer to this question because you have different publics with different interests:

    • Top management needs to make decisions over issues that many times are not so clear for them, and they do not need deep knowledge about technicalities of security issues (they will be more concerned about how it impacts the business). In these cases, evangelization is a good approach
    • technical personnel with operational responsibilities for security needs deep knowledge over technologies, methodologies, and process, so education and training will get you better results
    • overall personnel needs a basic understanding of security, to properly identify, report, and react to risky situations. In these cases, awareness and basic instruction would be enough

    These articles will provide you a further explanation about awareness in the organization:

    These materials will also help you regarding the awareness in the organization:

  • Business Continuity Management System Software Checklist

    Some criteria you should consider for evaluating BCMS software are:

    • Availability of online communication features, so employees have more freedom of work
    • Features specifically designed to cover ISO 22301 core requirements (e.g.: business impact analysis, risk assessment, business continuity planning, document and record management, etc.)
    • Availability of external support service and knowledgebase, because no software will help you solve 100% of the situations, and you will need expert advisement some moment
    • References about performance and stability of the platform
    • Cost for acquisition and maintenance.

    This article can provide additional information:

  • Question about auditors

    1. Does the external auditor need to sit privately with the internal auditor and see his IA plan and its IA report and verify all his findings?

    The external auditor does not need to sit privately with the internal auditor to perform the audit if he can use any other methods to find needed evidence to confirm that the internal audit is performed according to the standard.

    Regarding the internal audit findings, the external auditor can work with a sample, provided this sample can provide enough confidence that the process is being performed according to the standard´s requirements.

    2. Does the external auditor have a commitment and or obligation to verify his findings and corrective actions taken? Or simply look into his plans and its final report.

    ISO 27001 requires the verification not only of internal audit plans and results (clause 9.2) but also of the results of any corrective action taken (clause 10.1), so corrective actions taken as a result of internal audits need to be verified by the external auditor (again, this verification can be performed over a sample). 

    3. It’s well known that IA is not fully impartial and his IA report might not be a bit biased and or impacted by his senior management if he/she is not independently reporting to the highest authority?

    In fact, problems of conflict of interest and impartiality can occur, but to be compliant with ISO 27001 an organization needs to ensure objectivity and impartiality from internal auditors and that these are reported to relevant management (clauses 9.2 e) and 9.2 f)), and the external auditor should verify the fulfillment of these clauses. 

    4. Can the Internal audit out of transparency disclose any Nonconformities to the external auditor and or anything that the external auditor himself can not find during his short visit?

    Members of an organization can provide additional information for an external auditor if they think this can improve the results of the external audit and help improve the organization, but in general disclosure of such information needs to be aligned upfront between auditees and the organization’s top management (normally disclosure of such information without previous alignment can lead to disciplinary process). 

    These materials will also help you regarding audits:

    • ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    • Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
    • Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

    • Process owner of Training plan documents

      There is no definition on this subject in the IATF 16949: 2016 standard or the ISO 9001: 2015 standard. This issue may vary from company to company.

      In some organizations, all training documents are stored by the HR department. In some companies, HR department stores only for office staff, and for workers who are production employees, the relevant department stores. In short, this subject varies according to the size and structure of the companies.

    • Timeline for processes audit

      According to IATF 16949:2016 standard, while making audit plans for the system and for the manufacturing process, it should be considered risk-based.

      These risks should be determined as follows:

      • Process changes Internal and external problems
      • New process or processes
      • New products or production technologies
      • Organization changes
      • Performance trends Customer complaints
      • etc

      The risk level should be determined according to these situations and the frequency of audits should be determined in a 3-year period. There is no requirement for one audit per year. If there is no risk, a process can be audited once in 3 years, or if there is a risk, another process can be audited 3 times a year.

      The IATF 16949: 2016 standard explains as follows.

      For System Audit; The organization shall audit all quality management system processes over a three-year audit cycle, according to an annual program, using the process approach to verify compliance with this Automotive QMS Standard. Integrated with these audits, the organization shall sample customer-specific quality management system requirements for effective implementation. The complete audit cycle remains three years in length. The quality management system audit frequency for individual processes audited within the three-year audit cycle shall be based upon internal and external performance and risk. Organizations shall maintain justification for the assigned audit frequency of their processes. All processes are required to be sampled throughout the three-year audit cycle and audited to all applicable requirements in the IATF 16949 standard, including ISO 9001 base requirements, and any customer-specific requirements.

      For Manufacturing Process Audit; Each audit does not have to cover all shifts in one audit (for example an audit of the pressing process could be done on shift 1 and 2, sampling shift changeover in year 1, and then in year 2 or 3 an audit undertaken on the third shift for pressing). However, all manufacturing processes must be audited on all shifts over a three-year cycle, the frequency depending on risk, performance, changes, etc.

      For more information, see:

Page 232-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +