Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Guest
From our experience with our customers, smaller companies are usually at ca 100 controls, while larger ones are usually above 110.
But please note that the main criteria considered by certification bodies to justify controls applicability are results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts).
It is important to understand that because you can have similar organizations with totality different quantity of applicable controls (above or below the mentioned numbers), because they have different approaches towards risks (e.g., more risk aggressive, more cautious, etc.), and still both can fulfill the standards criteria for certification.
For further information, see:
This material can also help you:
En la última versión de la norma ISO 9001:2015 se habla únicamente de "información documentada", esta información documentada puede ser mantenida, en este caso se trataría de lo que antes denominábamos documento, o la información documentada puede ser retenida, que se trataría de lo que antes conocíamos por registro. Dicho esto, existen una serie de documentos y registros que son obligatorios para cumplir con los requisitos de la norma ISO 9001:2015 y que puede encontrar en el siguiente artículo junto con la cláusula correspondiente:
- Lista de documentos obligatorios requeridos por la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
Otros materiales que pueden serle de utilidad para enteder la documentación obligatoria en ISO 9001:2015, son los siguientes:
- Lista de verificación de la documentación requerida obligatoria por ISo 9001:2015: https://info.advisera.com/9001academy/es/descarga-gratuita/lista-de-verificacion-de-la-documentacion-requerida-obligatoria-por-iso-90012015
- Curso gratuito en línea - Fundamentos de ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Libro - Gestión de documentación ISO: una guía en un lenguaje sencillo: https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/
What Senior Management wants to hear (and does understand) is profit, market share, client satisfaction, cost cutting, business strategy, and business risks. So, if you want to sell ISO 9001 implementation to Senior Management you should consider translating ISO 9001 benefits into a language that they understand. Consider this article - Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/ and try to translate each benefit into tangible results:
You can find more information about ISO 9001 below:
During the certification audit, you need to provide evidence that you are fulfilling all standard requirements (from sections 4 to 10), and has implemented all controls stated as applicable in the Statement of Applicability.
Considering that, by not performing a full internal audit before the certification audit you are not fulling clause 9.2 b), because you are not ensuring all elements of the ISMS are effectively implemented and maintained.
After certification, you only need to align the internal audit activities according to the schedule of the surveillance audits, because the schedule will define what will be audited each year before the next certification audit.
These articles will provide you a further explanation about internal audit:
These materials will also help you regarding internal audit:
Please note that after finishing the analysis you have activities prioritized and impacted assets, but you still did not decide on the strategy on how to provide those resources, so it is not possible to go directly to definition of resources to support the continuity and recovery plans.
For example, to support an 8 hour RTO, an organization can go for its own alternative site or work with a third-party provider, each option will have different resources to be allocated.
In another scenario, to ensure data availability, alternatives may be backup copies kept in another site, or outsource backup.
The main solution, i.e., the strategy, is decided by the top management, with support of business continuity staff, and only after that, you can start to think about resources to be allocated.
This article will provide you a further explanation about business continuity strategy:
- Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/
This material will also help you regarding business continuity strategy:
- Developing the business continuity strategy according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/developing-the-business-continuity-strategy-according-to-iso-22301-free-webinar-on-demand/
I loved how you said that ISO 27001 certification can give you an enhanced competitive edge. My sister was at my house last night for dinner, and she was wondering what she could do to make her company. I'll pass this information along to her so that she can look into getting ISO 27001 certified.
No, it is not mandatory, according to ISO 14001:2015, to have a written fire exit plan in a manufacture. Please check clause 0.5 where it states that ISO 14001:2015 does not include requirements specific for occupational health and safety.
Has a fire been identified as a relevant abnormal possible situation? Were environmental aspects and impacts related with fire determined and evaluated? Were they considered significant? If yes, the only requirement from ISO 14001:2015 is an action plan to prevent or mitigate the environmental impacts.
Please check below information about ISO 14001:2015:
There are no ISO 9001:2015 prescribed levels to determine the quality of raw materials, product, process and service. Each organization has the authority to determine the required levels based on complexity, experience of employees, past performance of suppliers, ability to detect problems and their impact on customer satisfaction or internal costs.
You can design the flow of activities from raw materials reception until product delivery to customers and then, based on the risk-based approach, you can ask:
From here one can design a quality control plan. Don’t expect getting everything right at the first attempt. Use monitoring and measurement to fine tune frequency, sample size and verifications in the quality control plan.
You can find more information below:
Let us look at ISO 9001:2015 clause 9.2.2 e)
As a good practice, after completing an internal audit the results should be reported to relevant managers, those with more knowledge and authority about the areas or processes audited. Not all nonconformities have the same importance. Some are minor failures and only deserve a correction. Others are more relevant and represent a systemic or major failure of the quality management system. So, major nonconformities require both a correction, the elimination of the nonconformity, and a corrective action, an action to eliminate the cause(s) of the nonconformity.
You can find more information below: