Search results

FCS security governance critical success factor

Considering ISO 27014, the ISO standard for Governance of Information Security, the governance of information security is a system for control and direction of information security activities.

Considering that, examples of measurements to identify failure to control and direct information security activities are:

• low number of business strategies supported by information security initiatives
• low number of controls achieving proposed objectives
• high number of information security incidents
• no achievement of proposed objectives for the ISMS

The measurements you proposed are mainly focused on management activities, and these cannot ensure the expected results for information security are achieved (e.g., all meetings can address security issues, but no one of them is effectively resolved over time).

DPIA For Cloud Services

When and how to carry out a DPIA (data protection impact assessment) with respect to cloud services for my organisation.

ISO 9001 surveillance audit requirements

If I have a certified person in a company who conducts ISO internal audit annually, do I need to pay certification body anyway to come and conduct a surveillance audit every year? Is it must?

Answer:

If you want to be certified by a certification body, you must have the surveillance audits every year. If your organization does not need to be certified you can avoid that cost.

You can find more information below:

• What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
• Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
• ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-lead-auditor-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 manual

ISO 9001:2015 has no mandatory requirement for the existence of manual or procedures. It is up to each organization to decide if a manual is useful and what should be its content.

I recommend organizations to have a quality manual, but it is just a recommendation. Please check this article about mandatory documentation - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

The following material will provide you information about the quality manual:

• The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Roles and responsibilities of the QMS working committee

ISO 9001: 2015 does not provide, does not prescribe the existence of a QMS working committee, but it also does not prohibit it. Each organization must consider which organizational arrangement is best suited to its internal culture.

So, I advise you to start with the end in mind. What is needed to happen at a higher level to ensure continued compliance to certification?

For example:

• Ensure that internal audits are done and closed
• Ensure that management review takes place and is effective
• Meet to analyze trends around performance indicators results
• Keep updated the context and interested party’s determination
• Ensure continual improvement
  …
   

You can find more information below:

• What will be the destiny of the management representative in the new ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
• Choosing the best person for the job quality management representative: https://advisera.com/9001academy/blog/2014/06/03/choosing-best-person-job-quality-management-representative/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Preparing documents per each clause

First of all, it is necessary to understand the IATF 16949: 2016 standard very well, if necessary, it may be good to participate in a 2-day training and perform a gap analysis during the training. Every "shall" written in the standard is a requirement and must be done. An action plan should be made for all "shall" requirements and relevant requirements should be taken and adopted into the quality management system (QMS).

To get an idea of which kind of records you can use for your management system, see this toolkit:

• IATF 16949:2016 Documentation Toolkit https://advisera.com/16949academy/iatf-16949-2016-documentation-toolkit/

• ISO 14001 Cost, benefits, purpose and intention

  1. What do you view as the Cost and benefits of ISO 14000 adoption and implementation?

  Answer:

  About benefits, please check these articles - 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/ and - ISO 14001: The benefits for customers - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/

  About costs, it is difficult to answer because ISO 14001:2015 imposes nothing that the legislation does not impose. Thus, the costs incurred to comply with the legislation are not imposed by ISO 14001: 2015. Other costs are implementation and maintenance costs for the management system.

  2. Describe the purpose and intent of the ISO 14000 program?

  Answer:

  The purpose of ISO 14001 is to help organizations improve their environmental performance through more efficient use of resources and reduction of waste.

  You can find more information about IDSO 14001 below:

  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
     

• Software for creating the routes for the school buses

  Hello Alessandra, thank yoy very mutch for your reply! Could you please explaine how can we apply pseudonymization or anonymization to adresses without names? Thank in advance, kind regards, Denis

• Need for meeting requirements per FDA 21 CFR

  You need to be in partial compliance with FDA 21 CFR, the part that considers purchasing process, production, quality control, and storage. In your case, you are providing outsourced services for your client. From both Fda or ISO 13485 standpoint of view, your client is responsible for your part of the process. It means that your clients need to have a quality agreement with you, and you need to have procedures and records that will prove that your part of the production is performed in compliance with specific requirements from the ISO 13485 or FDA 21 CFR. 

  How this quality agreement looks like, you can see here:

  • Quality Agreement for Subcontractor  https://advisera.com/13485academy/documentation/quality-agreement-for-subcontractor/