Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • First steps towards ISO 27001

    First is important to note that ISO 27001 does note require gap analysis, and we do not recommend it for small organizations (i.e., up to 100 employees), because due to this size it is easier to go directly to the implementation of the standard.

    Broadly speaking, after getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:

    1. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties;
    2. development of risk assessment and treatment methodology;
    3. perform a risk assessment and define the risk treatment plan;
    4. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
    5. people training and awareness;
    6. controls operation;
    7. performance monitoring and measurement;
    8. perform an internal audit;
    9. perform management critical review; and
    10. address nonconformities, corrective actions, and opportunities for improvement.

    To see how documents compliant with ISO 27001 look like, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    This article will provide you a further explanation about ISMS implementation:

    These materials will also help you regarding ISO 27001 implementation:

  • Information security in project management

    In short, you can think about the inclusion of information security in project management as if you are going to implement a small ISMS that will fit the project's needs and be proportional to the project's lifetime and budget.

    Considering that, these are some evidence you should consider:

    • definition of information security objectives and include them in the project objectives, the same way you define information security objectives for an ISMS aligned with the organization's objectives, the only difference is that these objectives are restricted to the scope of the project.
    • initial and regular information risk assessment in the project and identification of applicable legal requirements, like you would do it with other business processes, to identify necessary controls (the controls you mentioned should be based on this step)
    • evidence related to the implemented controls (e.g., backup media, in the control A.12.3.1 Information backup is implemented).

    This article will provide you a further explanation about Information security in project management:

  • Auditing Extrusion

    As you know, your control plan starts with the incoming inspection process and shows all the stages of the shipment process to the customer. Therefore, all these processes should be audited as manufacturing process audits according to your control plan. In fact, these processes should be audited until the shift they work, and auditors should audit shift changes. Because all these processes play a critical role in providing products to the customer and in case of deficiency, they will return to you as a customer complaint and as you know the 8D process starts.

    For more information, please read the following articles:

    • Five Main Steps in an IATF 16949:2016 Internal Audit  https://advisera.com/16949academy/knowledgebase/five-main-steps-in-an-iatf-169492016-internal-audit/
    • How to make an Internal Audit checklist for IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iatf-16949/

    • ISO 9001 and ISO 13485

      Yes, it is. You can continue implementing ISO 9001 and add the differences coming from ISO 13485. You can see that there is a lot in common, although they follow different structures.

      The following material will provide you more information:

    • Calibration of laboratory equipment

      Although I cannot tell which analyzer you are specifically referring to, as a testing laboratory, you need to start by understanding the difference between calibration and verification, and what a level of measurement uncertainty and traceability to SI is achievable and acceptable (e.g national or international traceability). This involves having a suitable calibration program and intermediate checks (verification) to meet ISO 17025 clause 6.4 equipment requirements and clause 6.5 Metrological traceability. Note that assuring your results goes beyond the analyzer, it includes all equipment used in the process – e.g analytical balances, glassware, dispensing devices, reference standards to establish the analytical calibration on the instrument.

      Regarding your reference to the difference between “external” and “internal” - External is when you contract an ISO 17025 calibration laboratory to perform validations. What you are referring to as “internal” is rather referred to as “intermediate checks” or “verification”. This is because it is possible for laboratories to calibrate internally if calibration requirements are met. Calibration laboratories must have certified reference standards with strong metrological traceability to SI and a fit for purpose, well-documented measurement uncertainty for each test property. When using a calibration laboratory, for example, to calibrate your analytical balances, they need to use a suitable class of reference weights. Depending on the class of balance, a particular class of reference weight must be used to calibrate such a balance, as they have different specifications (agreed technical parameters)  resulting in a particular level of measurement uncertainty.

      How often you do external calibrations and whether you need to perform intermediate checks (and how often), depends on the process steps and what equipment is used. For analytical balances it is straight forward – a laboratory would use a set of weights that they own, where each piece has metrological traceability to SI, where they were previously calibrated by an external calibration provider (at a suitable frequency, based on risk and need).  So here you have reported uncertainties on the calibration certificate that you confirm are acceptable for each piece. Then you perform intermediate checks (verifications) on your balances at suitable time intervals (also based on risk), across the range of use (g) of the balance.  For your analyzer, your intermediate checks could be functional, based on the instrument performance, as well as by using standard reference checks against the calibration. This involves using different standard solutions or materials than what was used in setting up the calibration on the analyzer.

      For further information see the following:

      The article What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/

      The ISO 17025 document template: Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure//

      ILAC G24:2007 Guidelines for the determination of calibration intervals of measuring instruments (note currently under revision) available for download at https://ilac.org/?ddownload=818

      You can also refer to another Expert Advice Community Q&A  Are intermediate checks required for calibration laboratories? att https://community.advisera.com/topic/are-intermediate-checks-required-for-calibration-laboratories/

    • Marketing Auditor services

      So, you are an ISO 9001 internal auditor and you want to find clients for your audit service.

      https://www.screencast.com/users/ccruz5284/folders/Default/media/44897233-09bd-48d7-a7c8-1f49e7253b66

      Potential clients must be aware of your competence. About competence: Can you provide evidences of experience as auditor? Can you provide evidence of training as auditor? Can you provide evidence of certification as auditor to provide image and credibility?

      Potential clients must be aware of your existence. You must develop your own brand by evidencing your knowledge and experience. You evidence your knowledge when you write. You should write. Share what you know, share your experience and results, share testimonies of your clients about the outcomes of working with you. Use blogs, professional networks, trade magazines, use your LinkedIn profile, make presentations at conferences. And don’t forget to develop a network of contacts. Consultants implementing quality management systems always need an independent first party auditor. So, you can contact them and offer your services. As soon as you have enough experience as internal auditor you can contact certification bodies to offer your services as third party auditor.

      The following material will provide you more information:

    • OOS/Deviation

      I believe OOS stands for Out Of Specification. You can find help in ISO 9001:2015 clause 8.7.

      When you find OOS product you have to segregate that product to avoid unintended use and you have to decide what to do with it:

      • Ship as it is after talking with client;
      • Correct or rework the product;
      • Downgrade the product as 2nd grade or off-grade 

      The following material will provide you more information:

    • Design and development in service provision industry

      I have no experience in the security provider industry. I’m sure the industry has to follow guidelines from regulatory bodies. If they exist, they set a kind of general process to be followed. For example, I found on the internet the OCC Bulletin 2004-20, "Risk Management of New, Expanded, or Modified Bank Products and Services: Risk Management Process,". 

      I suppose that the process was updated in 2017 with this - https://www.occ.treas.gov/news-issuances/bulletins/2017/bulletin-2017-43.html So, a possible process can be:

      • After validation of the conceptual idea for the product
      • List all inputs for design and development (part of due diligence – Step A)
      • Follow the process activities (Steps A, B and C)
      • Apply controls (reviews, verifications and validations)
      • Define product specifications, advance with product registration, 
      • Market and distribute new product
      • Launch new product
         

      The following material will provide you more information:

    • Conformio implementation plan with ISO 27001

      Conformio platform has basic Document Management System features that fulfill ISO 27001 document management requirements, so you can keep all your ISO 27001 related documents in Conformio.

      This article will provide you a further explanation about the document management:

    • Roles and responsibilities for ISMS specific processes

      ISO 27001 does not prescribe roles to be defined, so organizations are free to define them according to their needs.

      Regarding responsibilities, ISO 27001 only requires the definitions of these responsibilities:

      • ensuring that the ISMS conforms to the requirements of the standard
      • reporting on the performance of the ISMS to top management.

      Other responsibilities the organizations can define according to their needs.

      These articles will provide you a further explanation about roles and responsibilities:

      These materials will also help you regarding roles and responsibilities:
Page 352-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +