Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Identifying scope and risks

    1.is it mandatory that i should use techniques like SWOT, PESTLE for identifying internal and external issues

    Answer:

    No, SWOT or PESTLE are not mandatory techniques for identifying internal and external issues. They can be useful, but not mandatory.

    2.In Most of the sample QMS Manual i have seen is same that is replica the doubt which i have is ,is it ok if we define the scope by our own?

    Answer:

    Yes, each organization should define its own management system scope

    3.Quality Management System (QMS) Scope of our company defines standardization of processes, QMS equips project team with documented approach that helps in maintaining the quality of work, reduction of rework and cost-effective project execution. This is what I prefer to define for my company/and is it ok?

    Answer:

    I think that it has to be improved. Organizations shall define, document and make available the scope of the QMS, referring to the Products and Services that are provided and identifying the limits of the management system. The scope should clearly describe the type of Products and Services covered by the system and provide sufficient information, preventing the transmission of erroneous or misleading information about what the organization covers in the quality management system and what it is able to provide to its customers. It must be available because it is through the scope that the organization communicates to the relevant interested parties, namely customers and potential customers, the Products and Services it makes available.    

    The following material will provide you information about the scope of a quality management system:

  • Tiempo de implementación

    Para una empresa de 200 empleados, con los recursos apropiados podría tardarse alrededor de 1 año. No obstante, la duración de la implementación de la norma va a depender de varios elementos como:

    - los recursos asignados a la implementación de la norma, tanto en términos económicos como de personal

    - la complejidad del producto o servicio a certificar, o de los procesos dentro de la organización

    - la cantidad de información documentada existente, como procedimientos, instrucciones de trabajo, etc. 

    - el número de localizaciones que tenga la empresa

    - el conocimiento sobre la norma

    Puede calcular el tiempo aproximado que le llevaría implantar la norma aquí - 9001 Implementation Duration Calculator: https://advisera.com/9001academy/iso-9001-duration-calculator/

    También le recomiendo que haga una evaluación de los requisitos con los que necesita cumplir la organización mediante un análisis GAP o de Brecha. Puede utilizar la siguiente herramienta de forma gratuita en nuestra web - Análisis de breha ISO 9001: https://advisera.com/9001academy/es/herramienta-analisis-de-brecha-iso-9001/

    Además estos materiales pueden ayudarle a calcular el tiempo que tardará en implementar la norma en su organización: 

    - Curso gratuito - Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

    - Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

     

  • ISO 20000 vs ITIL

    ITIL and ISO 20000 complement each other. So, if you have ISO 20000, there is no problem if you start implementing ITIL. Quite contrary, during ISO 20000 implementation you already implemented a lot of processes and related activities that are recommended by ITIL.

     

    This free whitepaper can help you: „ITIL vs. ISO/IEC 20000: Similarities and Differences & Process Mapping“https://info.advisera.com/20000academy/free-download/itil-vs-iso-iec-20000-similarities-and-differences-process-mapping

  • Annex A

    1. ISO 27001 Annexe - I have a question regarding A 14 System acquisition, development, and maintenance. We are a software development company. Does this part apply to software we develop (as a business) or only for internal soft we could develop I mean for internal use?

    The application of this control for customers or internal purposes will depend on the scope of your ISMS. If the ISMS scope covers software development for clients, then you need to include these activities with applicable controls.

    For further information, see:

    2. ISO 27001 A 15 - May I apply this measure to the Critical IT supplier Only? Or should I apply to all suppliers?

    You do not need to apply controls from section A.15 to all your suppliers. You can limit the application only to those for which you have identified unacceptable risks, or to those you have a legal requirement (e.g., law, regulation or contract), demanding the application of the control.

    For further information, see:

    3. In annex A can we justify that we do not choose a measure by saying "company capacity is to light" or things like that?

    Your suggested justification most probably won't be accepted by a certification auditor. A good justification for not choosing a control would be "We do not have unacceptable risks or legal requirements, demanding the implementation of this control." because it covers the two most common reasons to implement a control.

  • Fast-track information risk assessments

    First is important to note that not all persons will give you direct answers about assets, threats, and vulnerabilities. This is because of their backgrounds (e.g., technical or non-technical), and knowledge about information security.

    Broadly speaking, you should consider at least these questions to identify assets:

    • which information you have to deliver? To whom? (this last question will help direct you to the next person you should talk to)
    •  which information you need to do your work? From whom? (this last question will help you map if all relevant persons were already covered)
    • which resources you need to work on? (depending on the role of the person this can lead to general answers, like information system abc, or to a detailed list of assets)

    For identification of threats and vulnerabilities, you should consider these questions:

    • In your opinion, what can negatively affect the information and resources you mentioned? And why?

    In short, the questions have to be focused on the context of the interviewed and form their answer you have to mine the assets, threats, and vulnerabilities.

    As a support tool, if you have experience and knowledge about the process involved, it is to build a checklist with the most common answers and try to validate them with the interviewed.

  • ISO 22301 Communication Plan

    First is important to note that ISO 22301 does not prescribe how a communication plan must be documented, so it is up to the organization to decide if it will be a separate document or not.

    For small and medium-sized organizations we understand that a separated document would increased administrative effort unnecessarily, so information related to communication plan is available in the several templates, for example:

    • Disaster recovery plan, located on folder 07 Business Continuity Plan
    • Activity recovery plan, located on folder 07 Business Continuity Plan
    • Business Continuity Policy, located on folder 03 Business Continuity Policy
    • Incident response plan, located on folder 07 Business Continuity Plan

    In each document information related to communication is defined according to the document purpose.

    For further information, see:

  • Question about PII data

    Even if you have Personally Identifiable Information (PII) in your ISMS scope, ISO 27001 does not require a specific policy for PII to be developed, but you have to verify if any of the laws you identify as legal requirements for your ISMS because of PII requires such a policy. In case any of them requires a policy for PII, you will have to develop one.

  • ISO 17025 implementation

    ISO 17025 clause 6.4 covers requirements for Equipment; where the requirement is that equipment should be suitable, maintained and monitored to ensure a laboratory produces consistently valid results. It is important to know what is required of specific equipment to ensure suitable performance. In all cases mandatory specifications, regulations or guidelines should be followed; if applicable for your sector.

    The document you refer to, is an Annex of the document “Qualification of Equipment”, published for European Union (EU) Official medicines control laboratories (OMCL). Such laboratories support quality control regulations for medicinal products.
    I cannot tell by your question which sector your laboratory supports and whether the document your refer to is prescribed as mandatory by a regulatory body or your accreditation body; or just a guideline you are using to meet ISO 17025 requirements. Either way, if you have assessed your processes thoroughly against ISO 17025 requirements as well as the OMCL Annex, and there are no gaps; then surely you are meeting requirements ?

    The following may be of interest

    Article What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
    The ISO 17025 toolkit or ISO 17025 document template: Equipment and Calibration Procedure and associated appendices: List of Laboratory Equipment, Calibrated Equipment Record, Calibration Record and Equipment Maintenance Record, available at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure//
     

  • ISO 9001:2015 vs ISO 17025

    The answer to your question is most likely no, but depending on the extent of your ISO 9001:2015 management system and the planned ISO 17025 scope. As mentioned above, a laboraory will need to develop the management system to include the requirements of ISO 17025:2017 clauses 4 to 7. The clauses do not stand alone – they are intertwined, which means you need to make sure the requirements of clauses 4 to 7 are covered by, or added to, the existing management system processes and activities.

    Once you have established the scope of accreditation, i.e. which tests are going to be included for accreditation; a gap assessment should be done. Here you will perform an audit to see to what extent the existing activities, processes, procedures and records (created for ISO 9001:2015) meet the requirements for ISO 17025. For example, you may have an audit program (ISO 17025:2017 clause 8.8) that meets ISO 9001:2015 requirements; however if technical audits had not been included, or your scope has changed, you may not have audited the method validations (clause 7.2) or monitored the environmental conditions (clause 6.3) of a test which is part of your ISO 17025 accreditation scope. Another example is risks and opportunities (clause 8.5), where assessments would be required and the register updated, to cover ISO 17025 activities.

    I suggest the following article may provide some more insight  What is ISO 17025? especially the section Practically speaking, what are the steps to becoming ISO/IEC 17025 accredited?  Available at https://advisera.com/17025academy/what-is-iso-17025/

  • Privacy Policy for internal Employees and Privacy notice on Website

    These are two different documents with different purposes, data retention periods and data collected.

    Privacy notice on the website allows web users to know how you will process their data (navigation data, data coming from cookies, account data, etc.), for which purposes and how long you will process it. You may want to ask the consent of website use for marketing purposes and transfer their data to the third party processor (i.e. social networks). Maybe you will process users' data for two years.Privacy notice aims to inform data subjects what data will be collected, for which purposes and how long the data controller will process it. It must be specific and inspired to data minimization principle (ask only  necessary data)

    You should also have a privacy notice, attached to the job contract to inform employees about how you will process their data because the purposes of processing, the legal ground, the data retention period will be different from data collected from website users.

    Privacy policy for employees is another document that aims to teach employees how to handle personal data collected. You must set some internal rules on data processing. Some basic rules are to not leave personal data accessible, do not share personal data with unauthorized persons, if they suspect a data breach inform the security officer or DPO (if there is one), how to handle data subjects requests, and so on.

    You may find some useful information in the following articles: Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

    Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/

    Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

    How the GDPR could impact your HR department https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/

    Contents of the Data Protection Policy according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/contents-of-the-data-protection-policy-according-to-gdpr/
Page 413-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +