Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Indicators for a process

    According to ISO 9001:2015 you must have at least one indicator per process. When one think about process indicators, one can think of three types:

    • Effectiveness indicators;
    • Efficiency indicators;
    • Quantity indicators.

    For me, the most important are the effectiveness indicators, they measure if the purpose of the process is being met.

    For example, for a company that has a strategic direction around innovation and has a process called “Develop new products” one can ask:

    - What is the purpose of such process?
    - Quickly develop new products that are market hits.

    Effectiveness indicators will measure “Quickly” and “hits”. For example:

    • Average time to market
    • Revenue from new products
    • Average price of new products

    Efficiency indicators are the classic QCD indicators:

    • Quality
    • Cost
    • Delivery

    For example, for a company that installs wireless networks for telecom companies, with a process called “Install network”, efficiency indicators can be:

    • Number of daily nonconformities raised by the customer
    • Actual network installation costs versus budgeted costs
    • On-time delivery percentage

    Quantity indicators give information about the need to manage resources accordingly. For example, number of incoming calls at a call center is a way of evaluating the need to contract more people to handle more calls without raising waiting time.

    Please consider our free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/ There you can find the rationale for developing effectiveness indicators and a monitoring plan.

    On our free webinar on demand – The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ you can find an example of a flowchart that describes the flow of activities, very useful to define efficiency indicators.

    The following material will provide you information about indicators:

  • ISO 13485 Manufacturing

    ISO 13485, Manufacturing of Thermometer, Ventilator, BP Measurement apparatus - what are the applicable regulatory requirements?

  • Determination of OH&S objectives

    While Iso 45001 does not use the term standard operating procedure (SOP), OH&S objectives and plans is often its own process in the OHSMS. In fact, clause 6.2 does not require that you document the process for OH&S objectives at all, only that you have documented the objectives and plans to achieve them. As long as you have written objectives and plans, how you determine them can be determined by top management without documentation.

    To find out more on the OH&S objectives, see the article: How to define ISO 45001 objectives and plans, https://advisera.com/45001academy/blog/2018/12/04/how-to-define-iso-45001-objectives-and-plans/

    While Iso 45001 does not use the term standard operating procedure (SOP), OH&S objectives and plans is often its own process in the OHSMS. In fact, clause 6.2 does not require that you document the process for OH&S objectives at all, only that you have documented the objectives and plans to achieve them. As long as you have written objectives and plans, how you determine them can be determined by top management without documentation.

    To find out more on the OH&S objectives, see the article: How to define ISO 45001 objectives and plans, https://advisera.com/45001academy/blog/2018/12/04/how-to-define-iso-45001-objectives-and-plans/

  • Risk treatment plan vs Statement of applicability

    Please note that the statement of applicability presents a summary of which controls are necessary, the justification for their inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A, while the risk treatment plan documents which actions are necessary to implement the security controls you need, who is responsible for them, what are the deadlines, and which resources are required.

    In short, the purpose of the SoA is to describe the security profile of a company, while the purpose of the RTP is to define implementation responsibilities. 

    These articles will provide you a further explanation about the Statement of Applicability and Risk Treatment Plan:

    These materials will also help you regarding Statement of Applicability and Risk Treatment Plan:

  • ISO 27001-13 114 control

    There is no definitive answer about how many documents are "good enough" when we talk about ISO management systems because this depends on the unique context of each organization, results of risk assessment, and legal requirements.

    Our toolkits contain an optimum number of documents for companies of up to 200 employees, so you normally would not need any additional documents, but an organization may have legal requirements demanding additional documents not directly related to standard's requirements, or most common controls adopted by organizations.

    For example, the procedure for a penetration test is not commonly used, so it is not part of the toolkit, but you may have a contract with a customer requiring this specific document

    This article will provide you a further explanation about developing documents:

  • Documentation versioning

    ISO 27001 does not prescribe version control of documents, only that changes must be controlled (as applicable).

    Considering that, version control is one way to fulfill these requirements, but if you can fulfill this control of changes by other means (e.g. track change feature), you do not need to implement version control.

    This material will also help you regarding document management:

  • SoA justification for selection (of control)

    First is important to note that before you elaborate the SoA you need to perform the risk assessment and risk treatment steps, because these are required by the standard.

    The second topic of notice is that, broadly speaking, justifications to apply or not control are based on:

    • results of risk assessment
    • legal requirements (e.g., laws, contract, or regulations)
    • top management decision

    Considering that, if you do not have relevant risks or legal requirements to justify applying a control, you can state that the control is considered relevant to be applied by top management, as a good practice.

    These articles will provide you a further explanation about risk management and SoA:

  • ISO 27001 PCI DSS mapping

    We're not experts in PCI DSS, but this article from ISACA can provide you a comparison between ISO 27001 and PCI DSS: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-1/comparison-of-pci-dss-and-isoiec-27001-standards

    These articles will provide you a further explanation about ISO 27001 and PCI DSS:

  • How to become GDPR compliant?

    There are plenty of solutions on the market that allow you to build email marketing, pop up, and online booking services. You should discuss it with your web designer. You need to remember to describe the process in your privacy notice, ask for consent from the client in order to send newsletters and publish terms and conditions on your website.

    The GDPR allows the data controller to establish the right place where to store data: his internal servers, in the cloud, purchasing hosting space, and so on. You need to verify your service provider's compliance.

    You can find more information in the following articles:

    You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • GDPR compliance

    Personal information under GDPR includes addresses, so if you want to show your work on your website you can ask consent to the client by inserting a clause in the agreement. Otherwise, you can insert the town where the work has been realized without any personal information about the client. In this case, the project will be anonymous and it will not be any more under GDPR prescription because Paragraph 26 in the Preamble states: “The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not, therefore, concern the processing of such anonymous information, including for statistical or research purposes.”

    You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Page 401-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +