Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Approach to build a quality management system

    The main steps for implementing a quality management system are the same. However, the larger an organization, the more complex, the more vertical it is. So, normally, larger organizations require more formalization and more training. For example, a larger organization may need documented procedures for some activities that another smaller organization, in the same economic sector, may decide to not formalize in a documented procedure. A smaller organization may use a All-Hands Meeting to communicate a message to everybody, a larger organization may need to use a newsletter, a video or other scalable option.

    About implementing ISO 9001:2015 perhaps this free webinar on demand, articles and book can help you:

  • Standard Operation Procedure SOP

    Protocols are a set of  rules and standards stablished by an external regulating body, whereas SOPs, are the methods used to achieve or comply with those protocols. Protocols do not necessary have an SOP and also, you can develop a SOP regardless of whether there is a protocol that needs to be complied. In addition, protocols are  goal-oriented or problem-oriented, since they describe what has to be achieved while SOPs are the practical instructions that an individual needs to follow to achieve that goal. For instance, a protocol may indicate the accuracy that a process requires, meanwhile the SOP is the  procedure a lab uses to conduct the process.

    For more information about protocols and SOPs see the following materials: 

    - Enroll for free in the course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Comprometiendo la alta Dirección a cumplir con los requisitos de una Norma de Calidad

    Para que la alta dirección se comprometa con cumplir los requisitos de ISO 9001:2015 le recomiendo que por un lado presente los beneficios que brinda la implementación de ISO 9001:2015 a la organización y por otro que hable el lenguaje que entiende la alta dirección. 

    Puede traducir los requisitos de ISO 9001 a un lenguaje más sencillo que contenga un sesgo más empresarial. Por ejemplo, en vez de hablar de documentos obsoletos, hable a la dirección de pérdida de reputación que podría producirse si la organización emplea documentos que no están actualizados. O en vez de hablar de no conformidades dentro del control de calidad, se hable de pérdida de dinero. 

    Aunque el dinero se trata de un lenguaje poderoso en la alta dirección también les interesa temas como la participación del mercado, los clientes ganados o perdidos, el margen de beneficios, la diferenciación de la competencia así como los riesgos a evitar y las oportunidades a aprovechar.

    Para más información como sobre comprometer a la alta dirección vea los siguientes materiales:

    - Seis beneficios clave de la implemenntación de ISO 9001: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/seis-beneficios-clave-de-la-implementacion-de-iso-9001/

    - To what extent should top management be involved in your QMS: https://advisera.com/9001academy/blog/2016/11/22/to-what-extent-should-top-management-be-involved-in-your-qms/

    - ISO 9001 top management audit: how to perform it successfully: https://advisera.com/9001academy/blog/2019/05/15/iso-9001-top-management-audit-how-to-perform-it-successfully/

    - Presentación - Why ISO 9001:2015 awareness presentation: https://info.advisera.com/9001academy/free-download/why-iso-9001-2015-awareness-presentation

    - Curso gratuito en línea - Curso de Fundamentos ISO 9001:2015  - https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

    - Libro - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISO 9001 Process Description

    In a process description (ISO 9001) - Should we begin by stating 'Input' or a more mandatory 'Entry criteria'?

  • ISO 27001 certificate

    1 - Can we take the ISO 27001 certificate with a master's degree in general management in organizational strategy and 4 months of experience as a business intelligence consultant?

    ISO certifications for persons do not require previous competences or experiences, so it is possible to take them with this current background.

    There are several different ISO 27001 personal certifications available, and you have to choose what is most appropriate for you:

    • ISO 27001 Foundations Course - this is where you learn the basics of the standard, probably the best way to start as a beginner
    • ISO 27001 Internal Auditor Course - this is for becoming the internal auditor
    • ISO 27001 Lead Auditor Course - this is for becoming the certification auditor
    • ISO 27001 Lead Implementer Course - this is for becoming a consultant or an implementer in your own company.

    These materials will help you:

    2 - Can we work remotely as an aid in audit or iso 27000 implementation projects under these conditions?

    Remote work is possible for audit and implementation projects, depending on the scope (some activities like audit or implementation of some physical controls only can be made in loco). You should define these situations with your customers.

    Regarding consultancy services, besides information security-related certifications, you also need to consider competencies related to project management, and accumulate experience, either working with another consultant or performing activities in the information security field for a company. You also should consider the Lead Implementer certification. 

    For more information, see:

  • ISMS Scope - remote working

    1 - A question on ISMS scope and 3.3 Locations in your toolkit template. Due to covid we no longer have a physical office, it may be that we never return to having one as we mainly all worked remotely in any case. We have 6 people in our business, but 4 remote working locations.

    For the purposes of ISO27001, are those 4 remote working locations to be in scope for our ISMS? I think the answer is no because we are a SAAS company and your webinar on ISMS scope said that SAAS cloud companies did not need to look at HW or SW, just their data.

    Your assumption is correct. Regarding remote workers, normally you do not control the environment where they are, so these are kept out of the scope.

    These articles will provide you a further explanation about defining scope:

    2 - However, what about operational controls to ensure information and data such as passwords are not left lying around? An imposter could in principle log on and get into our system.  Would we need a tidy desk policy or something like that so that no paper passwords or client data/information is on note pads or left out. How would you actually enforce that with remote working? Perhaps a risk you chose to acknowledge but not do anything about as you can’t enforce a locked room in someone’s home. Not sure what other companies are doing on this point now that everyone is working from home.

    Should we be saying that employees log out when they go away from their computer? Should we be keeping a record of when an employee signs in and signs out of their device or applications on that device? We value our flexibility and don’t want to upset our culture by having a big brother approach to how we work and operate.

    In such cases with remote workers, you treat remote access as a risk in your assessment, and treat the unacceptable risks by means of controls from section A.15 - Supplier relationships (e.g., by using contracts and terms of service to enforce security practices).

    This article will provide you a further explanation about the scope definition and supplier management:

  • Disposal of assets

    Please note that while ISO 27001 provides a general objective for the disposal of media, it does not provide technical guidance on how to perform media disposal.


    To see how a Disposal and Destruction Policy compliant with ISO 27001 looks like, please see this free demo template at this link: https://advisera.com/27001academy/documentation/disposal-and-destruction-policy/

    For technical guidance, you should consider these references:

    These articles can also help:

  • Documents and records

    1 - A further point to the below on when a document can become a record.

    This is the principle in the document change history section of documents, that I’ve been basing our document version control journey on:

    V0.1, v0.2, v0.3, v0.4 = Drafts

    V1.0 = Approved version based upon v0.4

    V1.1, V1.2, V1.3 = Updates to the v1.0. Draft status.

    V2.0 = Approved version based upon v1.3

    V2.1, V2.2, V2.3, V2.4 = Drafts

    V2.4 is reviewed and approved

    V3.0 = New approved version.

    I had thought that as soon as a document has approved status then it becomes a record. At that point the document which is now in the record log, is subject to the controls re assigning an owner that must check the content on a given review date to ensure that the information and data contained with the document is accurate, current and relevant.

    From the advice you have given, I realise I have miss-understood what a record can be and also the control that applies to records. The above example of a document, from what you are saying, is not to be considered a record. However, the quality control still needs to take place to review all documents that have information and data in for their accuracy and relevance etc.?

    Please note that a document only becomes a record when you cannot change it anymore (at most you can add an amendment, but the original record is kept intact), and you need to implement controls to ensure unauthorized charges do not occur. While it is subjected to updates, you need to review it when necessary to ensure it is still accurate and relevant, so quality control still needs to perform actions on documents.

    2 - Records cannot be edited or amended and they have retention periods, whereas documents are only required up until the point that they are useful to the business. Therefore, all previous versions of documents can be archived or deleted. Is this a correct statement?

    Filling and exclusion of a number of obsolete versions of documents (i.e., approved versions that were replaced by updated ones) will depend on the applicable requirements for records retention. For example, for some documents, you may need to keep all previous versions, while for others you may need to keep only the two previous versions.

    3 - A secondary point, is the above example of version control a good practice approach or am I leading our team down the wrong path?

    Your example of versioning is a common one used in the marketing and is fine to be used for ISO 27001.

  • Requirements for analytical laboratories under 16949 designation

    When you use an external laboratory, ISO 17025 accreditation is a must.

    If your supplier who produces the product performs the tests in his own laboratory, I think that if he provides you with evidence that he is in compliance with the 7.1.5.3.1 requirements of the standard, that is, that his internal laboratory is in compliance, it will be sufficient with PPAP. ​​

    But again, to be safe, it would be better if you have the tests that are legally required on the product done by an accredited laboratory.
Page 294-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +