Search results

Opportunities and challenges of the application of standards

Here are few articles that discuss ITIL/ISO 20000 implementation and it's benefits i.e. challanges:

5 key benefits of ISO 20000 implementation https://advisera.com/20000academy/blog/2016/02/09/5-key-benefits-of-iso-20000-implementation/

4 Crucial Techniques for Convincing your top Management to Implement ISO 20000 https://advisera.com/20000academy/blog/2017/10/31/4-crucial-techniques-for-convincing-your-top-management-to-implement-iso-20000/

What are the most common ISO 20000 implementation myths? https://advisera.com/20000academy/blog/2016/02/23/what-are-the-most-common-iso-20000-implementation-myths/

5 excuses why IT organizations avoid ITIL implementation https://advisera.com/20000academy/blog/2015/08/25/5-excuses-why-it-organizations-avoid-itil-implementation/

How ITIL can help cloud services https://advisera.com/20000academy/blog/2015/07/28/how-itil-can-help-cloud-services/

Risk management process

This order follows exactly the sequence of requirements of ISO 27001.

Please note that the Risk Treatment Plan defines the actions, resources, responsibilities, and dates for the implementation of risk treatment options (e.g., risk transfer and risk mitigation), and you first need these options to be approved, generally as part of the SoA approval, so you can minimize risks of rework or loss of time if a treatment option is not approved.

These articles will provide you further explanation about the risk management process:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

ISO 9001 Clauses for Construction Companies

Let us start by what clauses could be candidate to non-applicability:

• Does your organization receive project from customers or designs projects? If only receive project from customers, then clause 8.3 is not applicable
• Does regulation, customers, or your internal policy determine traceability requirements? If not, traceability is not applicable
• For construction companies, clauses 8.5.1 f) and 8.5.3 are normally applicable.
   

The following material will provide you more information about non applicable clauses:

• What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/ 
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Incident Priority Levels & Classes

ITIL doesn't explicitly define priority levels. Priority matrix should be applied based on your SLA's, type of services/business, tool you use, etc.

Here is the article where you can find more details: All about Incident Classification https://advisera.com/20000academy/knowledgebase/incident-classification/

as well as this free webinar

ITIL Incident Management Process Demystified https://advisera.com/20000academy/webinar/itil-incident-management-process-demystified-free-webinar-on-demand/

Documents for distribution company

From ISO 13485:2016 Documentation toolkit, in my opinion, you can exempt the following documents: Design and development, Sterilization and Adverse event investigation. Procedure Production and service provision in your case will be Service provision.

Product vs Service

Yes, ISO 9000:2015 defines product as the output of an organization that can be produced without any interaction taking place between the organization and the customer. The same ISO 9000:2015 defines service as the output from an organization where at least one activity is necessarily between the organization and the customer.

By the way, this theme is a theme that I follow with some attention. I prefer the approach of some marketing scholars that invite us to consider that everything is service. There is even a phrase that I like very much: "Everything is service. A product is an avatar of a service". More and more we see organizations that bet on co-development, co-production, co-creation with customers. When we receive in the mail a simple T-shirt with a message ordered by us. Is it a service or a product?

The following material will provide you information about ISO 9001:

• Understanding Product & Service Provision in ISO 9001 - https://advisera.com/9001academy/blog/2014/10/07/understanding-product-service-provision-iso-9001/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 27K Competences

ISO 27001 does not prescribe the CISO role, neither the competencies required to run an ISMS, but considering the requirements o the standard, if you have a CISO in your organization, you should consider at least these areas of competencies:
- Standard: knowledge of ISO 27001 standard
- Compliance: to identify interested parties and their requirements
- Documentation: for the development of policies and procedures
- Risk Management: to teach and guide employess during risk assessment and risk treatment process
-Human resources management: to provide awareness and training activities

These articles will provide you further explanation about CISO role and competencies:
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

Electronic signatures

Certain procedures in our ISO 13485:2016 toolkit have described workflows (eg. customer complaint process, sales process, evaluation of suppliers). Workflows are not mandatory according to the ISO 13485:2016. 

Advisera does not provide software for ISO 13845, therefore we do not have electronic signatures. The ISO 13485 Documentation Toolkit is only a set of documentation templates, this is not a software.

EU GDPR DPO Course - Retention Schedule - Module 4

The data retention schedule helps the data controller and data processor to comply with the principle of minimization and to be accountable.

Data controller and data processor need to evaluate how long they will need the data. Specifications may be inside laws (i.e. many tax and accounting law requires to keep records of transactions, bills, invoices up to ten years), inside contracts (especially for data processors who have instructions on how to handle data processed on behalf of the data controller inside the appointment as a data processor or inside instruction). The data retention schedule should be in line with all these requirements. Balancing the principle of minimization with the risks of data breach (which can be considered as data destruction based on a wrong data retention schedule).

In your data retention schedule, you should also decide how to deal with data not covered by laws and regulations (i.e. applicants CVs) by establishing a principle in line with the period the data controller may need those data (i.e. until the job position has been covered).Therefore, specifications for data retention schedules may vary from case to case depending on the data processing.

You can find more information here:- The role of the DPO in light of the General Data Protection Regulation: https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/- How the GDPR could impact your HR department: https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/- Implementing 3 main accountability principles under the EU GDPR: https://advisera.com/eugdpracademy/blog/2017/09/27/implementing-3-main-accountability-principles-under-the-eu-gdpr/- Understanding 6 key GDPR principles: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/

Definición y evaulación de indicadores

Efectivamente el indicador clave de desempeño debe ser algo medible por sí mismo, si se evalúa desde 33 perspectivas distintas se convierte en algo complejo de medir y que puede dar lugar a resultados difíciles de interpretar. 

Para definir los indicadores clave de desempeño o KPIs es necesario saber cuáles son los procesos existentes dentro del SGC y más tarde, definir sus elementos mas relevantes, ya que éstos serán el principal objetivo a medir por los indicadores clave de desempeño. Por ejemplo, en una empresa de producción, uno de los factores más relevantes será que los pedidos sean entregados en el tiempo establecido. Por ello, el tiempo que se tarda en realizar un producto podría ser considerado un indicador clave de desempeño. 

Para más información sobre los indicadores clave de desempeño puede ver los siguientes materiales: 

- Artículo - How to define Key Performance Indicators for a QMS based on ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/

- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

- Curso de Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/