Search results

NCR tool

In this kind of situations, you can use a model to help you describe the situation and get ideas about what can help you in promoting change.

Normally, people don’t change just because they don’t want to change. Look for what can motivate them to change and act on what can block the change.

As an example of anxiety, they may want to be afraid of any finger pointing to individual cases due to a better traceability around nonconformities. As an example of inertia, they may have genuine difficulties in using the NCR tool. Train them on its use.

Please find below more detailed information:

• QMS Change Management in 7 steps - https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Implementing information security continuity

1. In ‘06 Statement of Applicability’ > ‘Implementation method’ is [Business Continuity Plan] while In the ‘List of Documents ISO 27001 ISO 22301’ there is marked that
’Appendix 6 – Disaster Recovery Plan’ is mandatory document for A.17.1.2.

The document choice will depend on the ISO standards implemented.

If you are implementing only ISO 27001, the Disaster recovery document is sufficient to cover the standard requirements. In case you are implementing ISO 22301, of ISO 22301 and ISO 27001 at the same time, you need to use the business continuity plan (please note that the disaster recovery plan is an annex of the BCP).

For further information, see:

• Business Continuity Management vs. Information Security vs. IT Disaster Recovery https://advisera.com/27001academy/blog/2017/02/27/business-continuity-management-vs-information-security-vs-it-disaster-recovery/ 

2. Second, if one should seem that Disaster recovery should be in place in the Company but A.17 Information security aspects of business continuity management are not applicable, should one use only ’Appendix 6 – Disaster Recovery Plan’ to document recovery?

The purpose of Disaster Recovery Plan is to document how your IT infrastructure is to be recovered, it does not have the purpose of recovery of business parts of the organization. By the way, from our experience, a large majority of companies find controls from section A.17 applicable.

Cleaning environment with minimal resources

Implementing an environmental management system is not about solving all environmental problems with a magic trick.
ISO 14001:2015 is based on the PDCA cycle:

ISO 14001:2015 invites us to invest our scarce resources where their environmental return is bigger. Organizations should not try to solve all problems at the same time, there will never be enough resources and the results will be minimal.

In the first turning of the cycle, organizations act upon the first set of significant environmental aspects. In a second turning of the cycle, organizations should update the significance classification and update the investment priorities. That way we can ensure the best use of available resources.

Please check this information below with more detailed answers:

• Article - Plan-Do-Check-Act in the ISO 14001 standard - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/plan-do-check-act-in-the-iso-14001-standard/
• Article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
• Article - Catalogue of environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Is IATF 16949 is sufficient to evaluate the QMSs of OEMs?

1. Do you consider that IATF 16949 is sufficient to evaluate the QMSs of OEMs?

Yes, IATF 16949:2016 standard is sufficient for customer-specific requirements evaluation due to the IATF 16949: 2016 standard addresses customer-specific requirements at many points.

2. If so, why are there supplementary audits like VDA6.3 or ASES of Renault-Nissan? Thank you.

As you know, customer-specific requirement means automotive customer expectations. This issue is addressed in Article 4.3.2 of the IATF 16949: 2016 standard. In addition, in annex B, section’’ Bibliography-supplemental automotive’’ of the same standard, customer-specific requirements of all OEM customers are shown and explained.

For example, if the organization's customer is VW, in this case, it is stated that it should comply with special requirements such as VDA 6.3-6.4-6.5.

For more information, please read the following articles:

• How to define the scope of the QMS according to IATF 16949:2016 https://advisera.com/16949academy/blog/2017/06/28/how-to-define-scope-of-the-qms-according-to-iatf-16949/
• How to define roles and responsibilities within an IATF 16949-based QMS https://advisera.com/16949academy/blog/2017/11/29/how-to-define-roles-and-responsibilities-within-an-iatf-16949-based-qms/

• Which aspects of MDR compliance should be main priority?

  If your medical devices are already certified according to the MDD 93/42/EEC, first you need to check is there a change in the classification of your medical devices. In MDD there were 18 rules, in MDR 2017/745 there are 22 rules, so some medical devices have been changed to a higher class.

  You can find Classification rules in EU MDR Annex 8 Classification rules: https://advisera.com/13485academy/mdr/classification-rules/

  The next requirement that needs to be fulfilled is the requirement for the Post-market surveillance system.

  This system is in detail explained in following MDR chapters:

  • EU MDR Chapter 7 - Post-market surveillance, vigilance, and market surveillance: https://advisera.com/13485academy/mdr-heading/post-market-surveillance-vigilance-and-market-surveillance/
  • EU MDR Annex 1 - General safety and performance requirements for each medical device or medical device family - https://advisera.com/13485academy/mdr/general-requirements

  For more information about MDR, please see the following articles:

  • EU MDR - Easy-to-understand basics: https://advisera.com/13485academy/what-is-eu-mdr/
  • How can ISO 13485 help with MDR compliance?: https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/

  • Executives involved in ISO 27001

    1. How and which Executives need to get involved in ISO 27001.

    The executives to be involved will depend on the ISMS scope. In case all the organization is in the ISMS scope, then the CEO is the top executive to be involved, as well as the other executives, representing their areas. In case the ISMS scope is limited to part of the organization, then the highest executives in the defined scope must be involved.

    The executives' involvement basically covers:

    • ensure that information security supports the company strategy;
    • definition of objectives to be achieved;
    • definition of specific related responsibilities and authorities to information security;
    • provision of resources;
    • general performance review.

    For more information about the roles and responsibilities of executives in information security I suggest these materials:

    • Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
    • Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
    • How to document roles and responsibilities according to ISO 27001 https://advisera.c om/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
    • ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    2. Which documents need to be overseen by them specifically?

    Considering the mentioned responsibilities, the most common documents you will find are:

    • Information security policy
    • Management review

    To see how these documents look like, please access these links:

    • Information Security Policy https://advisera.com/27001academy/documentation/information-security-policy/
    • Management Review Minutes https://advisera.com/27001academy/documentation/management-review-minutes/

  • Need of keeping data beyond each specific project

    No, you need to know what data you will keep (maybe personal details in suppliers/customers invoices), how long you will keep them (usually bookkeeping periods are defined by law) and how you will protect and then you need to develop your own privacy notice to inform in a transparent manner how you will process personal data. If you do not keep projects data, you will write so to inform individuals about it. You need also to protect data with some security measures. 

    Here you can find some information:

    • GDPR challenges for small companies: https://advisera.com/articles/gdpr-for-small-businesses-the-most-common-challenges/
    • Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
    • First steps to take to reach GDPR compliance: https://advisera.com/eugdpracademy/blog/2018/10/08/first-steps-to-take-to-reach-gdpr-compliance/

    You may also consider enrolling in this online EU GDPR Foundations Course: EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

     

  • Shipment rating systems

    You can draw the process flow where those companies interact with your organization and then determine possible risks. Evaluate those risks and for the most significant include the topics in your rating scheme.

    Please find below more detailed information:

    • How to evaluate supplier perfor mance according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
    • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
       

  • External or Supplier Audits

    You can follow exactly the same procedure as for internal audits. Where you should invest more time is in the audit scope definition and in the audit objective definition. Please check Annex “A.12 Audit of supply chain” in ISO 19011:2018.

    Please find below more detailed information:

    • First-, Second- & Third-Party Audits, what are the differences? - https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/
    • Why should companies perform a second-party audit of their supplier’s QMS? - https://advisera.com/9001academy/blog/2017/09/12/why-should-companies-perform-a-second-party-audit-of-their-suppliers-qms/
    • ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
    • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • ISO 22301 certification

    1. When looking for certification in *** I realize that there are not really a lot of people with experience in 22301. I talked to *** and they all struggle to find a proper contact to talk to. On the ISO Website, I saw the 2018 survey than resulted in a total of 1128 certifications worldwide and only 7 in ***. Do these numbers seem correct to you? Do you know German companies with a 22301 certification?

    We do not know this country ISO 22301 environment well enough to provide an objective answer, but we can suggest you contact certification bodies in this country and ask for the number of companies they certified in this country.

    2. We realized that a cyber attack is a very likely threat. As Financial Services we rely heavily on our IT department (who is in the process of getting certified by 27001). How can we handle that in the scope of the BC Plan? Is it OK to delegate the responsibility to IT or do we have to come up with our own detailed plans? We need to come up with ideas and plans on what to do when such an incident occurs and how we e.g. bridge the first hours and days, but it is difficult to take ownership for fixing the IT part. How can that be handled?

    Please note that a BC Plan has to cover two major groups of activities: support activities and business activities. Considering that, although you can delegate the recovery of information systems to the IT department, there may be a need for other actions not related to IT to be executed. For example, in case of disruption of internal organization's communication services, an emergent alternative could be resuming activities through employees' cellphones, and such activity should be organized by the manager of each team until the IT can recover internal communications.

    This article will provide you a further explanation about elaborating a BCP:

    • Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

    This material can also help:

    • Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/