Search results

ISO 9001 Question

After reading your description I made the following drawings. First:

And second:

1. How to apply requirements of subject clauses 8.5 & 8.6 of ISO 9001:2015 in our above-mentioned activities? 

Answer:

Your organization provides different kinds of services and each time a ship is serviced a different combination of services and parts may be required. So, I’m thinking about designing how each individually service should be performed with what kind of procedures, records and controls, as a kind of library of services.

Each provision of service in a particular ship in a particular request will be a combination of one or more services. You only add the monitoring and control of the set of services in place. After a request for intervention your organization designs and develops a project for that particular request. If you look into each service in your library, you can draw a flowchart from start to end and you can apply clause 8.5. In that flowchart you can identify all places where there are risks of something being wrong and design a quality control plan (clause 8.6)

2. How to develop a process flow chart for above activities? 

Answer:

If you try to develop a process flowchart for all activities at the same time it will become a big mess and it will not be useful. A model it is not about describing reality as it is, a model is about describing reality in a useful way. So, that is why I recommend developing a process flow chart for each service and then, develop a project flow chart about how the whole intervention will be managed and controlled.

3. Is it necessary that all OEMs & Equipment Servicing companies ?  
Repairers to be evaluated for their performance as per Clause 8.4 of ISO 9001:2015 which normally is extremely difficult in our case ? 

Answer:

It is up to each organization to determine what kind of qualification is required for its suppliers. For example, an organization may decide no qualification for a supplier of standard parts but may require more for a supplier of made to order customized parts. About evaluation of performance your organization may decide which suppliers are critical and only evaluate those suppliers.

You can find more information below:

• Risk-based thinking is a great way of implementing prevention and control into a quality management. ISO 9001:2015 promotes the process approach and in this free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ I show how to relate processes, risks, training, documentation and control
• Purchasing in QMS – The Process & the Information Needed to Make it Work - https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ where I use the risk-based thinking in several examples.
   

ISO 9001 Question

QA agreement is also valid for services suppliers?

Answer:

Of course, it is, as long as both parties understand it, and reach an agreement about service level

How can we efficiently and clearly accept all of the above-requested information in QAA? According to ISO 9001 2015, which sections?

Answer:

Before an agreement is reached there is a negotiation. Each party comes to negotiation with a proposal. Imagine that your organization will be responsible for doing those 7 points. What kind of competency requirements, procedures, records and control you would implement? That can be your starting point for the negotiation. About ISO 9001:2015, for starters consider clause 8.4.1 c) and 8.4.3, your organization is buying processes, what in previous versions of the standard was known as subcontracting or outsourcing. For other clauses I see things like these:

– 8.4, 8.6 and 8.7
– 8.2.1, 8.5.5 and 8.7
– 8.5.1 h)
– 8.2.1, 8.5.5 and 8.7
– 8.5.6
– 8.5.1 f) h)
– 8.5.2

Can we audit the supplier processes according to VDA 6.3?

Answer:

Again, that should be included in the QAA. Please check ISO 9001:2015 clause 8.4.3 f)

The following material will provide you more information:

• Purchasing in QMS – The Process & the Information Needed to Make it Work - https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ where I use the risk-based thinking in several examples.
   

ISO 9001 Identifying and Assessing Risk and Opportunity

First, although useful, it is not mandatory to use a risk and opportunity matrix/criteria to evaluate risks and opportunities.

I recommend using a very simple matrix for any level:

Where L stands for Low, M for Medium and H for High. Severity is more for risks, for opportunities you may use Advantage.

After using this approach for some time you can refine the matrix and include more factors if considered relevant.

The following material will provide you more information about risks and opportunities:

• Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
• How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
• Please check this free webinar on demand - Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ where I use the risk-based thinking in several examples.
   

ISO 14001 minimum requirement

There is no minimum requirement. The whole standard is applicable. However, the application is not blind, the application will be a function of how your consulting business interacts with the environment with aspects and impacts. A small consulting business will have a small interaction with the environment.

You can find more information below:

• ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
• Risks and opportunities in ISO 14001:2015 – What they are and why they are important - https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ 

Implementation of ISMS

1 - How and where to start in project for ISMS implementation.

Roughly speaking, ISO 27001 implementation steps can be resumed in:

1. getting management buy-in for the project;
2. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3. development of risk assessment and treatment methodology;
4. perform a risk assessment and define the risk treatment plan;
5. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6. people training and awareness;
7. controls operation;
8. performance monitoring and measurement;
9. perform internal audit;
10. perform management critical review; and
11. address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you a further explanation about ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding the ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

2 - Do you have any knowledge base which talks about step by step ISO 27001 implementation state. This project involves many stakeholders like application security , database track etc. So how to manager those team, as i am alone from GRC team. I have to ensure entire service tracks are aligned with ISO 27001 requirements. So please provide your valuable inputs.

Our website provides several articles and free downloadable material that can help you with several issues related to ISO 27001 implementation, such as:

• Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001
• Checklist of mandatory documentation required by ISO 27001:2013 (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001
• Step-by-step explanation of ISO 27001/ISO 27005 risk management (PDF) https://info.advisera.com/27001academy/free-download/step-by-step-explanation-of-iso-27001-risk-management
• How to Budget an ISO 27001 Implementation Project (PDF) https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
• Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation

To see how documents compliant with ISO 27001 looks like, I suggest you take a look at the free demo of our ISO 27001 documentation toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

Risk Management and "Asset value" & Asset Criticality

1) Does ISO 27001/27005 requires the Risk Management process to use asset value as part of calculating the risk assessment level.

ISO 27001 and ISO 27005 do not prescribe the use of the asset value for risk assessment, so organizations are free to use any approach they see fit to their needs.

For further information, see:

• ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

2) Does the standard require asset valuation as part of the Risk Management process? Or can be seen as an input, rather than a direct output of the process. That is to say, asset value is important to me as Risk Manager, but I need that input from the organization. It is not my responsibility to produce it as part of the RM process

ISO 27001 requires only that risks are evaluated, so you can either obtain this value as a result of asset valuation, or any other risk management related process or from direct input from the personnel involved in the risk assessment process. Please note that in either case, the responsibility for the value is from the personnel involved in the risk assessment process, but you, as Risk Manager, must ensure the processes are performed in the right way, and with the proper personnel.

3) What is the relationship between asset value and criticality assessment (like FIPS 199/200)? Again, I see asset criticality assessment as an input to RM, alas, not something that I am responsible for as part of the RM process.

Criticality analysis is a systemic approach to identify how critical an asset is to the business, to support the evaluation of potential risks, and highlight any business impacts associated with such risks. Considering that, for this approach, you do not need the asset value, but only the identification of the asset itself (in this case, you need to evaluate the impact caused by the lack or failure of the asset).

4) Finally, have you written a solid book (like the one on 22301) that explain in details how 27005 should be applied section for section?

Since ISO 27005 is a supporting standard for ISO 27001 implementation, we did not develop a book covering this specific standard but used its guidance and recommendations to develop the ISO 27001 Risk Management in Plain English.

Inquiry about Gap Analysis

Please note that the article states that "you don't need" to perform gap analysis for clauses of the main part of the standard, not that it cannot be performed.

The provided tool in our website has a different purpose than help verify the fulfillment of a standard's requirement: it can be used by organizations in order they get an overall and general feeling of where they are in the current moment, and to find out which resources they may need to employ in order to implement ISO 27001 before any real action or project is developed and implemented.

Underscores in a file name

The underscore is used instead of spaces because some old operational systems and applications have problems handling spaces and other special characters. Since we do not know if our customers may have issues regarding these situations we make use of underscore in toolkits name files.

The use of underscore may turn filenames difficult to read by persons, so you need to verify in your own context the need or not for the use of underscore in file names.