Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • IATF Documentation and records

    Yes, your action is correct. 

    The process performance (KPI) data of the last 12 months are taken into consideration in every IATF 16949: 2016 audit. These data should be recorded for each process defined in the quality management system. I recommend that you follow the process performance monthly or quarterly.

    Example: If your last audit was done in April 2019; 12-month process performance data between April 2019 and April 2020 will be checked in your April 2020 IATF 16949:2016 audit. Of course, the goals and results of each process performance should be ready for the year 2018 and 2019.

    In particular, the auditors want to see the progress of the targets by years. This is also very good evidence for the organization's level of continuous improvement.

 For more information please to read the following article: 

For more information, please see the following materials:

  • ISO 9001 for ISO 45001 and ISO 14001 QMS?

    We are preparing for ISO 45001 and 14001. We are already ISO 9001-2015 certified since 2013. Question: Shall we use ISO 9001-2015 documents for the other 2 QMS?

  • SGSI measurements

    How to establish the ISMS measurements?

    Measurements are established based on the objectives the ISMS has to achieve (business-oriented objectives), as well as on the objectives established for the controls (security-oriented objectives).

    Once these are defined, among other items, you also have to define:

    • Who has to perform the measurement
    • Who has to analyze the results
    • Measurement periodicity
    • How to perform the measurement

    These articles will provide you a further explanation about SGSI measurement:

    These materials will also help you regarding SGSI measurement:

  • Annex A Applicability

    Working on the Statement of Applicability as your starting point is not a good approach, because it only documents the results of previous efforts.

    According to the ISO 27001, to understand which of the 114 controls are going to be necessary you need to perform the identification of applicable legal requirements and a risk assessment and treatment process.

    The identification of legal requirements will help you identify laws, regulations, and contracts that demand the implementation of controls and the risk assessment and treatment will help you identify which controls you need to implement to handle the most relevant risks.

    These articles will provide you a further explanation about ISO 27001 and application of controls:

    These materials will also help you regarding ISO 27001 and application of controls:

  • Internal audits - retention & disposal policy

    As long as there are no legal requirements, and as long as there are no customer requirements, for example on contracts, organizations are free to determine the retention time for their records.

    Normally, in these cases, I advise keeping records for 3 or 4 years, to assure that records generated during a certification cycle will be available within that certification cycle.

    The following material will provide you information about retaining records:

  • ISO 27001 controls (SOA)

    It is possible to use such justification for the exclusion of control, but please note that common understanding is that information in the SoA refers to elements that are part of the ISMS scope, and such justification (referring to elements, not in the ISMS scope) would only add unnecessary complexity to your document (e.g., an auditor would have to work again on the ISMS scope document to confirm that the development process is out of the scope).

    It is simpler to say that the control is not applicable because there are no relevant risks and/or legal requirements demanding the implementation of the control.

  • QMS processes

    The main purpose of a quality management system (QMS) is consistently meeting customer requirements and enhancing their satisfaction. The process approach is one of the eight quality management principles upon which ISO 9001:2015 is based. According to this principle, a desired result is achieved more efficiently when activities and related resources are managed as a process. So, ISO 9001:2015 invites organizations to see themselves as a system of interacting processes. One can say that the QMS is that collection of processes.

    I like to use the process approach as a way of modeling how an organization works. For example, the main processes for a service providing organization can be around something like:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/1935f850-848f-49a9-afd0-b9009018cd92

    All organizations are different, so there is no universal set of processes. Each organization should design the set of interrelated processes that bests suits the purpose.

    Please check in this free webinar on demand how the set of processes can be determined and the process approach can be used - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/

    You can find more information about the process approach in the following links:

  • Management representative's responsibilities

    Although the function of the management representative, referred to in the previous edition, is not mentioned in ISO 9001: 2015 - the roles, responsibilities and authorities remain, but it is up to top management to define who should be assigned. This aims to reinforce the possibility that the responsibilities regarding the QMS belong to a group of people, and not exclusively to a single representative of the management or the quality manager. They can be assigned to those responsible for the different processes and to other people in the Organization.

    You can find more information about the management representative in the following links:

  • ISO 22301/business continuity

    1 - Question, am I going on the right path, and what are the pitfalls I may encounter. Some of our processes are relying on digitalize information system and if system fail we rely back to our manual system. We have not decided to go for ISO27001 yet.

    ISO22301 does not prescribe a risk assessment approach (you have to define one on your own), but please note that SWOT is not sufficient, because for risk assessment you need to perform risk identification and risk analysis, and SWOT will help you only to identify risks (the risk matrix system will help you to analyze the risks, so you can have them measured).

    Regarding ISO 27001, it is not required for ISO 22301 certification, but you can consider its security controls to support your BCMS implementation, as good practices.

    For further information, see:

    • ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-iso-22301-better-implement-together-free-webinar-on-demand/

    2 - Question, am I right to say that we only select such key cases on doing our BCMS and use those cases for the certification of ISO22301.

    I'm assuming that by key cases you are referring to the specific disruptive scenario that will be handled by your BCMS.

    Considering that, please note that the certification is based on the BCMS scope, which covers processes, locations, and or business units you consider relevant for business continuity. Relevant disruptive scenarios are identified after the BCMS scope definition.

    So, you need to define the BCMS scope first, because without it the certification auditor will be unable to evaluate if the selected key cases are relevant or not.

    Additionally, the BIA, risk assessment, strategy, planning has to be done for all the activities in the BCMS scope.

    For further information, see:

    3 - Final question, I saw the BIA template, it may be complicated for my staff to understand and use them effectively. Question is there any simpler template to use. We are just a service provider (ISO 9001 and OHSAS certified) at the airport for all cargo shipment and we also based on ISAGO-IATA requirement.

    Our BIA template contains the minimum information required by the standard, so to better help you we need more details to understand where potential difficulties may be.

    Please note that included in the template you have access to a video tutorial that can help you to fill in the BIA, using real data as examples. This may help you to fulfill the BIA.

  • Equipment maintenance

    For ISO 27001 you can define equipment as an asset that is used to store and/or process information or to support process information facilities.

    To identify equipment to be considered for information security you need to verify the ISMS scope and legal requirements (e.g., laws, regulations, and contracts) your organization must comply with. Base on the information your ISMS must protect, and in the legal requirements, you can identify equipment that must be considered for application of information security controls like A.11.2.4.

    To see examples of assets, I suggest you take a look at the free demo of our Inventory of Assets, sheet "Checklist of assets", at this link: https://advisera.com/27001academy/documentation/inventory-of-assets/

    Is contains examples of assets to be used in the risk assessment for ISO 27001.

    These articles will provide you a further explanation about assets and equipment:
    • Page 397-vs-13485 of 1128 pages

    Didn’t find an answer?

    Start a new topic and get direct answers from the Expert Advice Community.

    CREATE NEW TOPIC +