Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 examples of the acceptable evidence

    This book provides information  about what to consider when implementing controls (e.g., which documents to write, which responsibilities to define, which actions to perform, etc.), but is does not provide specific examples of acceptable evidences for an audit. Broadly speaking, examples of evidences are:
    - logs
    - files in the system
    - diagrams of the network
    - configuration of platforms
    - agreements with suppliers or customers
    - filled forms

  • Objective evidence

    Unfortunately, a list showing all the evidence that the IATF 16949 standard should have is not available. Companies must prepare the objective evidence according to their own operations for every mandatory ‘’shall’’ requirements item is written in the standard. 


    For example, as the requirements of 8.5.1.2 Standardized work- operator instructions and visual standards, machine operating instructions must be in a language that the personnel will understand, operators must have understood these instructions, instructions must be available in the work area and these instructions must include operator safety rules. 


    When viewed within this framework, all the evidence required must be prepared, documented and presented by the company.

    To get an idea on which kind of records you can use for your management system, see this toolkit:

    IATF 16949:2016 Documentation Toolkit   

    https://advisera.com/16949academy/iatf-16949-2016-documentation-toolkit/

     
     

  • IATF 16949 implementation

    When MSA has to perform?After every calibration?Change of operators/ inspectors?

    An MSA study must be carried out for each type of instrument specified in the control plan. MSA study must be done when new measuring equipment is purchased.If any automotive customer, in customer-specific requirements, is stated that there is an obligation to do MAS studies once a year; then MSA studies must be done once a year.

    The MSA study should be repeated when the changing measurement system occurs. This includes topics such as measuring instruments or changing operators or measuring methods.      

    When the instrument is repaired, the MSA study must be repeated. Normally, it is a good idea to do a gauge study, that is, a Type 1 study after calibration of the measurement device. In particular, Mercedes requests a Type 1 MSA study which is BIAS study after each calibration. 

    When we have a large variety of parts or part numbers of various sizes, then how to perform MSA? For all part numbers?

    When performing MSA, critical measures should be selected and prioritized accordingly. Smaller sizes should be chosen instead of wide.  MSA is not required for every part. Because the MSA study is done on the measuring instrument, not directly on the part. When choosing parts for MSA study, critical parts and critical features should be taken into consideration. If the variations in the process are largely due to special causes, first, special causes must be eliminated, and the process must be stabilized. Otherwise, the MSA results we get will not reflect the truth.

    Is it necessary to mention Work instruction revision no. and date in PFMEA and Control plan?

    No, it is not necessary. Just a document number is enough in the PFMEA and control plan. 

    In PFMEA, each function/requirement has to be classified as minor, moderate, major or to mention only SC/CC wherever required?

    No, it doesn't have to be. The first place to look is the customer drawing or the definition in customer specifications. Critical characteristics must be defined in these documents. It should definitely be included in FMEA and control plans, especially if there is a product safety issue. If not, the experience of the organization from the past and the types of complaints may show these characteristics. Such characteristics come from also the manufacturing process parameters, and these should be included in P-FMEA and control plan.

    For more information, please read the following article: 

  • What is FMEA, and how to apply it in IATF 16949 https://advisera.com/16949academy/blog/2017/09/06/what-is-fmea-and-how-to-apply-it-in-iatf-16949/

  • ISO 13485 Implementation

    You can add a new facility to the existing ISO 13485 certificate if the processes on the new facility are covered by the scope of your ISO 13485 certificate. In that case, just inform your certification body that during the next audit you want to make a Scope extension to the new facility.

    For more information, read this article:

  • What are the steps for ISO 13485 certification?  https://advisera.com/13485academy/blog/2020/03/18/iso-13485-certification/

  • Migrated mailbox and keeping the copy of the mailbox

    On the market, there is plenty of solutions for data retention and deletion and there is no unique answer. In selecting the measures that fit your needs, you need to consider that GDPR aims to assure integrity, availability, and confidentiality of data. Therefore, you can either store data in your local server, but server access must be secured and subjected to authentication, or you can choose to store data in the cloud, but you need to avoid shared cloud and select a solution that meets those targets.

    GDPR, in fact, aims to be technologically neutral.

    Encryption, antivirus, firewall, and controlled access are among the best technical measures; but, again, you need to verify if the encryption key is strong enough to protect data from unauthorized access, firewall and antivirus are updated to latest threats.

    The same applies to data deletion: deleting data before the data retention period can be considered as a data breach because you were not able to guarantee integrity for all the data retention period (consider it when you set that period). On the market, there are tools that allow you to manage consent and deletion automatically, check if these tools guarantee enough security in terms of confidentiality, integrity, and availability.

    Here you can find some useful information:A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/How cybersecurity solutions can help with GDPR compliance: https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/Implementing 3 main accountability principles under the EU GDPR: https://advisera.com/eugdpracademy/blog/2017/09/27/implementing-3-main-accountability-principles-under-the-eu-gdpr/

  • Clause 7.1

    Description of roles and related responsibilities (e.g. in our documentation toolkit we put it as a mandatory part of the process description) will provide the required evidence. 
    Also, when you document processes in the scope of the SMS – it should be clearly visible who is doing what.

    This article will help you - "Defining roles and responsibilities for ISO 20000-based IT Service Management“ https://advisera.com/20000academy/blog/2017/10/18/defining-roles-and-responsibilities-for-iso-20000-based-it-service-management/

    And, particularly for smaller organizations, help with few ideas on how to combine roles - "What ITIL roles can be combined in one person?“ https://advisera.com/20000academy/knowledgebase/itil-roles-can-combined-one-person/

    Further on, technical resources are your tools used to manage IT services (and tasks) and financial resources – e.g. your budget.
    Find more information here:
    - "5 things to beware of when selecting an ITSM tool“ https://advisera.com/20000academy/blog/2016/03/08/5-things-to-beware-of-when-selecting-an-itsm-tool/
    "Financial Management for IT services – theory and practice“ https://advisera.com/20000academy/knowledgebase/financial-management-services-theory-practice/

  • ITIL and COBIT framework vs standard

    ITIL is a best practice framework and practice(s) is just one of the essential elements for value creation (shortly described here “ITIL 3 vs. ITIL 4 – What has changed and what is new?“ https://advisera.com/20000academy/blog/2019/07/04/itil-3-vs-itil-4-what-has-changed-and-what-is-new/)

    This article:

    “COBIT, ITIL and ISO 20000 – The main differences” https://advisera.com/20000academy/blog/2019/09/25/cobit-vs-itil-vs-iso-20000-a-comparison/ will help you understand the relation ITIL – COBIT.

  • Clause 4.4

    Objectively, I will say that it is on the non-mandatory list. Clause 4.4.1 states that organizations must determine their processes, their inputs, and outputs and how they interact. Nowhere does it say there has to be a document, but everyone is waiting to see the process map. Clause 4.4.2 is par excellence part of the non-mandatory list. Organizations are invited to reflect on what documents to create for their quality management system.
    A clause may not be listed in any of those lists. For example, clauses 5.3, 6.3 or 7.4. An organization may have leadership practices or communication practices and evidence and yet without any non-mandatory document. Same way, an organization may answer to clause 6.1 without considering the need for a non-mandatory document. Only the mandatory list is relevant. The non-mandatory list is a sort of adviser based on Advisera’s experience.

    The following material will provide you more information about documentation:

  • Toolkit content

    1. Wondering a bit about organization of files; We have a list of policies we need to write first – one is "Information Security Awareness, Education & Training" - I find it in referenced as A.7.2.2

    Yet when I go in the folder below where I expect to find it in, there is not an A.7.2.2. document …27001_EN\08_Annex_A_Security_Controls\A.7_Human_Resource_Security.

    There IS a A.7.2_Statement of Acceptance.

    Please note that ISO 27001 does not require a policy for "Information Security Awareness, Education & Training" to be written. For certification purposes, it is sufficient the training and awareness plan, located on folder 09 Training and Awareness.

    For further information, see:

    2. Also, the following are policies we need; however they seem to paint to no specific document.  Where would you recommend we add these?

    Patch Management Policy – in A.8.2 – IT Security Policy?

    Information Security in Project Management – where to discuss this or assign project manager responsibilities?

    Separation of Development, testing & Operational Environments – listed as a.12.1.3 – but not sure where to create it as I can’t find any sample wording.

    Patch management would be best covered in A.12.1 - Security Procedures for IT Department, located on folder 08 Annex A Security Controls >> A.12 Operations Security since it involves change management.

    Overall project manager responsibilities can be defined in the Information Security Policy, located on folder 04 General Policies and specific responsibilities can be defined in the project's documentation.

    Separation of Development, testing & Operational Environments would be best covered in A.14 - Secure Development Policy, located on folder 08 Annex A Security Controls >> A.14 System Acquisition Development and Maintenance

    These articles will provide you further explanation:

  • Copy of the ISO/IEC 27001 standard licensed document

    Employees do not need to have a copy of the standard for themselves. It is sufficient that the management make available a licensed copy of ISO/IEC 27001 whenever they need to consult the standard.
Page 417-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +