Search results

Inquiry about Gap Analysis

Please note that the article states that "you don't need" to perform gap analysis for clauses of the main part of the standard, not that it cannot be performed.

The provided tool in our website has a different purpose than help verify the fulfillment of a standard's requirement: it can be used by organizations in order they get an overall and general feeling of where they are in the current moment, and to find out which resources they may need to employ in order to implement ISO 27001 before any real action or project is developed and implemented.

Underscores in a file name

The underscore is used instead of spaces because some old operational systems and applications have problems handling spaces and other special characters. Since we do not know if our customers may have issues regarding these situations we make use of underscore in toolkits name files.

The use of underscore may turn filenames difficult to read by persons, so you need to verify in your own context the need or not for the use of underscore in file names.

ITIL & ISO 20000 Implementation Steps

Here are few general information about ITIL implementation: „How to implement ITIL“ https://advisera.com/20000academy/knowledgebase/how-to-implement-itil/

Some steps need to be taken care of before the implementation starts, see „ Considerations before ITIL implementation“ https://advisera.com/20000academy/blog/2014/05/21/considerations-itil-implementation/

Once you decide to start the implementation, see the article „

Ready, steady… go – Starting ITIL implementation“ https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/

„ITIL implementation diagram“ https://info.advisera.com/20000academy/free-download/itil-implementation-diagram is available in our free downloads (https://advisera.com/20000academy/free-downloads/), as well as other useful materials (e.g. Project plan, GAP Analysis tool, etc.).

How do I ensure that I am GDP compliant?

You need to evaluate how the email address is composed. In fact, a general email address like info@... is not considered as personal data, so you can send emails to companies to present your services, while email addresses with name or surname (direct contact) are personal data under GDPR. 

How did you collect emails? Did website users left it to you on your website (maybe filling a form?) In this case check your email notification and be transparent with your visitors by informing them that you will use their email address to send them news about services provided and other great content.

If you collected email on social networks or companies websites, you need to be aware that these contacts are not published to receive advertising or promoting contacts, the person who published it does not attend to receive such email (unless the text around it allow you to believe otherwise) so that it would not be appropriate to contact them. However, if you model your email as a cold email using legitimate interest as a legal ground, you can present your company and the advantages in working with you and underline that you are contacting them because they are looking for a similar profile. This would be in line with GDPR requirements. 

Here you can find more information:

• Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• How does GDPR impact marketing activities? https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/
• How does GDPR affect digital marketing? https://advisera.com/eugdpracademy/blog/2019/02/20/how-does-gdpr-affect-digital-marketing/

You can consider enrolling in our free EU GDPR Foundations Course

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Sheet metal industries (press shop) process validations

  As you know, there are CQI guides which are GM, FORD customer-specific requirements for production process such as heat treatment, casting, welding, molding, coating, etc. For the sheet metal process, there is no special process validation guide like CQI. But if you want, you can prepare a guide by deriving questions from CQIs. Or you can use VDA 6.3 format for production, quality process validation.  

• ISO 9001 Question

  The auditor focused your attention in a particular problem, the non-conformity raised. Developing a corrective action means finding the root cause(s) and eliminate it/them.

  First you have to expand your mind by answering to the question why. Why did this nonconformity occur?

  A team can brainstorm a set of answers. The answers are hypothesis about what can be behind the non-conformity. Hypothesis are theories not the truth. Then, the most promising theories are selected, and information is collected, or tests are made to eliminate the wrong ones and keep the good ones. Now, we know what is behind the non-conformity, we know the root-cause(s). A root cause is something that has a strong impact in the occurrence of the non-conformity, and it is something that can be managed. It is time to develop a solution, something that will remove or reduce the frequency of the non-conformity. More than one solution may be available, normally one is chosen based on cost, or effectiveness, or easiness or resistance.

  For example, during an audit a nonconformity was raised because there were no evidences of performance of a quality control during the night shift.

  Why there was no control at the night shift?

  Because people:

  1. Don’t like to do quality control;
  2. Think quality control is not their job function;
  3. Have no time to do quality control;
  4. Actually, do quality control, but they do not record the results;
  5. Don’t know how to do quality control;
  6. Did not know they are responsible for quality control; 

  After some investigation. For example, what shifts missed the records? Who worked on those shifts? What kind of training did they had? You may realize that they never had training (hypothesis 5 and 2) because they were admitted in a rush to answer to a surge in orders.

  In this article you can find an answer to the question about the difference between a major and a minor non-conformity - Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

  The following material will provide you with information about root cause analysis:

  • ISO 9001 – How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
  • Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• ISO 9001 Successful Implementation

  No, you do not need to memorize the standard for successful ISO9001 implementation. You study the standard and distill requirements to your processes and introduce or improve practices based on those requirements. People doing quality control do nor need to know that they are applying clause 8.6 and they treat non-conformities according to the standard without knowing that it is clause 8.7.

  I think that the process approach can be a great help in doing this because it allows an organization to draw a model of how it works, a model that people can relate to. Then, it is easy to distribute ISO 9001 clauses over the model. The model stands as reference, it is what people know.

  Please check this example:

  

  The following material will provide you more information about the process approach:

  • Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ - please check how training can be related with the process approach
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ - where I extensively use the process approach.
     

• Update SoA

  To update the SoA considering your stated scenario, you need to:

  • update your risk assessment, to see if new unacceptable risks had arisen or current ones had changed
  • review applicable legal requirements (e.g., laws, regulations, or contracts.), to see if new controls are now applicable
  • adjust your risk treatment according to the updated unacceptable risks and applicable legal requirements

  After approving the updated risk assessment and treatment you can update the SoA accordingly.

  This article will provide you a further explanation about SoA:

  • The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
  • ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
  • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

  For common risks and safeguards related to working remotely, please read:

  • Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home