Search results

Risk Assessment Table

This catalog included in the toolkit is generally enough for most of our customers, but if you need additional threats and vulnerabilities to you risk assessment, I suggest you see this document from Enisa, which shows a set of materials with lists of threats and vulnerabilities:

• Reference source for threats, vulnerabilities, impacts and controls in IT risk assessment and risk management https://www.enisa.europa.eu/publications/archive/reference-source-for-threats-vulnerabilities-impacts-and-controls-in-it-risk-assessment-and-risk-management

Mandatory Procedures

First of all, we apologize for this situation. This article was written for the 2005 version of the standard.

Although version 2005 of ISO 27001, in fact, prescribed four mandatory procedures, its current version does not prescribe them anymore (although some organizations keep/elaborate them as good practice). These currently non-mandatory procedures are: procedure for document and record control, internal audit procedure, corrective action procedure, and management review procedure.

This article will provide you a further explanation about all mandatory documents and records for ISO 27001:

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

Significant aspects of ISO 14001

When working with organizations I start with what I think is the most basic rating system:

Does it comply with compliance obligations? If no, it is significant. If yes, apply a second test based on frequency/probability versus severity.

Where L stands for Low, M stands for Medium and H stands for High.

Please check this information below with more detailed answers:

• Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

Implementation of the function segregation matrix in a small company

First is important to note that ISO 27001 does not prescribe how to document responsibilities in an ISMS, so organizations are free to document them the best they fit their needs.

Considering that, there are two common ways:

• you can document the segregated functions directly in the document they are used (e.g., documenting the responsibilities to create and test backup in the Backup Policy). In this approach, users have easy access to the information, but it is more complicated to have a systemic view
• you can create a single function segregation matrix, documenting all segregated functions you have. In this approach, it is easier to have a general view of functions, but users may find it difficult to use the documents when needed.

These articles will provide you a further explanation about documenting responsibilities and segregation of functions:

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
• Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

Implementação da matriz de segregação de funções em um empresa com 130 funcionarios

Em primeiro lugar, é importante observar que a ISO 27001 não prescreve como documentar responsabilidades em um SGSI, portanto, as organizações são livres para documentá-las da melhor forma que atendam às suas necessidades.

Considerando isso, existem duas maneiras comuns:

• você pode documentar as funções segregadas diretamente no documento em que são usadas (por exemplo, documentar as responsabilidades para criar e testar o backup na Política de Backup). Nessa abordagem os usuários têm fácil acesso às informações, mas é mais complicado ter uma visão sistêmica
• você pode criar uma única matriz de segregação de funções, documentando todas as funções segregadas que você possui. Nessa abordagem, é mais fácil ter uma visão geral das funções, mas os usuários podem achar difícil usar os documentos quando necessário.

Estes artigos fornecerão mais explicações sobre a documentação de responsabilidades e segregação de funções:

• Como documentar papéis e responsabilidades de acordo com a ISO 27001 https://advisera.com/27001academy/pt-br/blog/2016/06/22/como-documentar-papeis-e-responsabilidades-de-acordo-com-a-iso-27001/
• Segregação de funções em seu SGSI de acordo com a ISO 27001 A.6.1.2 https://advisera.com/27001academy/pt-br/blog/2016/11/23/segregacao-de-funcoes-em-seu-sgsi-de-acordo-com-a-iso-27001-a-6-1-2/

Individual relevance of ISO 9001

ISO 9001 is a standard developed for organizations not for individuals. Nevertheless, it has benefits for employees. Please, check this article - What are the benefits of ISO 9001 for your employees? - https://advisera.com/9001academy/blog/2016/06/14/what-are-the-benefits-of-iso-9001-for-your-employees/

You can find more information below:

• Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Implementing QMS in a consultancy firm

Implementing a quality management system (QMS) for a consulting firm implies being very pragmatic and knowledgeable about ISO 9001:2015. Now the standard is less and less bureaucratic, it is up to each organization the task to design, develop and implement its QMS.

Setup a project sponsor, a project manager and a project team. Determine the scope of the QMS. Your organization may provide consultancy services in several areas, but only want to certify one or two services. Ensure top management support, get training and as a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis you can develop your Project Plan, listing what needs to be done, by whom, until when.

Then, an important step is to design a model of how your organization work as a set of interrelated processes. For example:

Decide how to describe and monitor those processes.

From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

This is a very short description of the journey but below you can find more detailed information:

• Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Diagrama de tortuga

Para definir los procesos en ISO 14001 debe de tener en cuenta las etapas del ciclo de vida de sus productos o servicios, tanto aquellos que puede controlar como aquellos en los que puede influir, para poder identificar todos los aspectos ambientales asociados a los procesos y establecer los controles operacionales necesarios. 

El diagrama de tortuga por un lado emplea el caparazón para nombrar el proceso, y por otro,  utiliza las cuatro patas de la tortuga para representar cuatro preguntas sobre un proceso: con quién, con qué, cómo, con qué criterios (los indicadores de desempeño que indican el éxito o fracaso del proceso), y la cabeza y la cola para representar las preguntas sobre las entradas del proceso y las salidasdel proceso. 

Para más información de cómo identificar los procesos en el diagrama de tortuga vea los siguientes materiales: 

- The importance of the process approach: https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/

- Curso fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Enquiry on implementation on Engineering projects

You asked

"I will like to know how to set up a project applying the said standard

The starting point is to purchase the standard from ISO or your national Standards publishing organisation. Then to assist with implementation and applying for accreditation, look to reputable assistance such as the Advisera ISO 17025 Academy. The home page is at https://advisera.com/17025academy/

Have a look at the free resources at https://advisera.com/17025academy/free-downloads/ and download the Diagram of ISO 17025 Implementation Process  as well as the Project Plan for ISO/IEC 17025 implementation shown on that page.

Thereafter look at the benefits of using the toolkit, where various options are offered at https://advisera.com/17025academy/comparison/ and the available previews of the entire kit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

You also asked  

and the effects of ISO 17025 on projects

The following articles will give you some information on the importance of the ISO 17025 standard and it how can help your company and clients.

What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/
Six key benefits of ISO 17025 implementation at https://advisera.com/17025academy/blog/2019/10/18/six-key-benefits-of-iso-17025-implementation/
More and more academic laboratories and companies running various development projects which include testing, are seeing the benefits of ISO 17025 accreditation.

Thirdly, you asked

and how I can obtain a certification for the same ISO. To show competence on potential employers."

Laboratories achieve accreditation to ISO 17025, not certification. It is also not possible for a person to be certified to ISO 17025. What is possible is to show the technical competency and operational competency of personnel who work effectively within an ISO 17025 managed laboratory system. This is done through objective evidence during training and monitoring.

If you are not working in an ISO 17025 accredited laboratory, you could develop your knowledge by working through the standard and toolkit, and attending training on the system and implementation requirements of ISO 17025.  Thereafter you can develop your skills and competency by applying the knowledge and contributing to the success of a laboratory in implementing and/or maintaining accreditation. Internal auditing, risk assessments; as well as method validation and measurement uncertainty are examples of areas where you can attend courses and obtain training certificates. Once applied in the laboratory, you can demonstrate your competency and obtain a competency declaration from management. Furthermore if you are responsible for the validity of results, as a technical signatory for your laboratory, you will also be assessed by the accreditation body. Your name may then appear on the laboratory’s accreditation certificates.

Besides the Advisera ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/, you may also be interested in the ISO 17025 Academy webinars at https://advisera.com/17025academy/webinars/

ISO 9001 How to make it interesting?

Working with organizations I try to do that by showing top management the pain from the present: Defects, costs, complaints, delays, lost customers, loss, and their consequences for the organization. It is what can push them to change.

Other alternative is to try to pull them to change by showing how a quality management system can help in improving performance.

For both situations I invest a lot in aligning the quality management system with the strategic orientation.

You can find more information below:

• Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/