Search results

ISO 9001 Internal Audit requirements

I believe that you can find an explanation in this free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/

For example, on slide 9 we present the process:

Then, we develop each step.

You can find more information about the internal audits in following links:

• ISO 9001 – What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/ 
• ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
• Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
• Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

ISO representative responsibilities

ISO 9001:2015 no longer requires the role of an ISO representative. Many organizations continue to consider that function within their quality management system architecture. Once ISO 9001:2015 no longer mentions the ISO representative, each organization can design the set of authorities and responsibilities most suitable for their particular situation.

A classic is being responsible for liaison with certification body. Other responsibilities can be:

• Inform and guide the organization on quality issues;
• Promote customer focus;
• Manage quality meetings;
• Review the Quality Manual;
• Coordinate the audit process;
• Gather resources in order to maintain and improve the QMS; 
• Define quality indicators; 
• Follow up on the goals established for the various indicators; 
• Identify and participate in the analysis of non-conformities, proposing and promoting, when applicable, corrective / preventive actions with a view to continuous improvement.

You can find more information about the management representative in following links:

• What is the job of the quality management representative? - https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/
• What will be the destiny of the management representative in the new ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

BCP and DR: ISO 22301

The BCMS scope should include all departments that can affect your organization's capability to deliver your products and/or services. For example, in a beverage industry, the logistics department plays a crucial role in delivering the products, so it should be considered in a BCMS implementation. The same applies to air traffic control activities for airports. So, you should consider your business products and/or services nature, and how your departments impact them, to identify which departments should be included in the BCMS scope.

These articles are related to ISMS but can provide some tips about defining a BCMS scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
• How to define activities when implementing business continuity according to ISO 22301 https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/

These materials will also help you regarding BCMS scope definition:

• Book Becoming Resilient, The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ 
• Free online training ISO 22301: An overview of the BCM implementation process https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/

Management review meeting

I suppose you are the quality manager. Let us focus on ISO 9001:2015 clause 9.3.

Clause 9.3.1 is about the purpose of the management review (slide 8)

Management review is more than a meeting it is a process (slide 9)

Who participates? Top management and managers (slide 10)

Clause 9.3.2 is about the inputs to the management review (slide 11) – each participant has first-hand knowledge about specific topics and can be responsible for leading the conversation about decisions and actions about that topic.

Please check this free webinar on demand where all these topics are treated - How to perform management review according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-perform-management-review-according-to-iso-9001-2015-free-webinar-on-demand/

You can find more information about management review in the following links:

• How to make Management Review more useful in the QMS - https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/ 
• How to Make Management Review More Practical - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/ 
• ISO 9001 document template: Procedure for Management Review - https://advisera.com/9001academy/documentation/procedure-management-review/ 
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ 
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Quality Records

Thank you.

Communication matrix

Your organization, with ISO 9001:2015 clause 4.2, determined relevant interested parties and their relevant requirements and/or expectations. So, considering those relevant interested parties, your organization should determine what needs to be communicated to each party (internal or external) in terms of the quality management system. For example, your organization may want to communicate process performance to employees, or quality test results to clients or environmental information to the local community. For each “what to communicate” your organization should plan (I use a table):

• when to communicate – once per month? once per year? Every quarter? 
• to whom communicate – clearly state who will be the recipients of communication 
• how will you communicate? – a newsletter? An internal meeting? An e-mail? A press release? An internal report? A blog post?
• who will communicate? – Which function or functions will be responsible for the communication?

The following material will provide you information about communication:
- Communication requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/11/01/communication-requirements-according-to-iso-9001-2015/
- You can enroll for free in this ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

BC Plan

Do I need to edit the same BC strategy document and add BC strategy for a new business unit or can I create a new BC strategy document for each department?

ISO 22301 does not prescribe how documents need to be developed, so organizations are free to develop them as best to fulfill their needs.

You can create a new BC strategy document for the new department, but you should evaluate if the effort to review and maintain two separate documents are worthy.

Both single and separated documents are accepted approaches. A single document is better to centralize strategies and make systemic review easier, but it can become too big and complex document to handle, while separated documents are easier to handle, but increases the administrative effort to review and maintain them.

A mixed approach would be to create a document with parts that are common for all strategies and then create separate documents with only the specifics of each department.

This article will provide you an idea about developing one o several documents:

• One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/

This material can also help you with the business continuity strategy:

• Developing the business continuity strategy according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/developing-the-business-continuity-strategy-according-to-iso-22301-free-webinar-on-demand/

Do I need to write the workaround of the processes/activities which I recognize in BIA conducted with the departments, in the BC plan?

I'm assuming that by "workaround" you mean a temporary fix to be used as a bypass of a recognized problem.

ISO 22301 requires you to create strategy/solutions and BC plans based on the BIA results - therefore, this should not be a workaround, rather it should be the update of those documents (if you already have them).

These articles will provide you an idea about developing BCPs:

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
• How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/

This material can also help you with the business continuity plan:

• Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/

Can I have a single document of both the BC strategy and plan in a single document for each business unit?

This is acceptable considering compliance with ISO 22301, but during a disruption, you will need rather short and clear documents to execute (i.e. the BC plans), and if such documents also include the BCP strategy they will become unnecessarily complex and will be difficult to execute.  

Additionally, you also should evaluate if the effort to review and maintain two separate documents is worthy, and sometimes the business continuity strategy contains sensitive information that should not be shared together with the BCP document.

External process performance measurements

Let us look into a process:

First, think about the purpose of the process: Why does this process exist? What is the rationale for its existence? Consider a process, any process, for example: 

• Manufacture parts. 

What can be the purpose of this process?

• Comply with the production plan, without defects and at budgeted cost

How will you know that the purpose is being met? 

One way of measuring performance is at a macro level, measuring the purpose effectiveness.

For this particular case indicators can be:

• production plan compliance rate; 
• defects rate; 
• deviation from budget, or unitary cost. 

Another way of measuring process performance is at micro or internal level. Let us zoom and see what is happening inside the “Manufacture parts” process:

Whenever I see a flowchart of a process, I think about possible indicators of process performance, mainly efficiency indicators:

• 1 – output rate (units/hour)
• 2 and 3 – defects rate 

Whenever you see a decision box in a flowchart you can check if there are any relevant indicators concerning rates (rate of good over bad, rate of one decision over another decision)

A third kind of indicator is about quantity. For example:

• How many orders were processed? 
• How many units were produced? 

Please consider our free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 -  https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/ There one can find the rationale for developing effectiveness indicators and a monitoring plan:

On our free webinar on demand – The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ one can find an example of a flowchart that describes the flow of activities.

The following material will provide you information about indicators:

• Article – ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/ 
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ 
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 14001 individual vs consultant implementation

Yes, you can do it yourself. It probably won't be as fast as with a consultant, but it will be more economical. 

If you decide to go by yourself Advisera can help you:

• You can enroll for free in our online ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/ - first part is about the ISO 14001:2015 foundations, the second part is about good implementation practices.
• You can develop your own documentation, or you can Advisera’s ISO 14001:2015 Documentation Toolkit - https://advisera.com/14001academy/iso-14001-documentation-toolkit/ - fully customizable and with one-on-one online consultation 
• You can access Advisera’s free ISO 14001 materials - https://advisera.com/14001academy/free-downloads/ and our blog with many articles – like these two:
            Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
            Article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
• You can watch free webinars on demand – ISO 14001Webinars - https://advisera.com/14001academy/webinars/

Probably you will need some help on environmental legislation. Perhaps you can use a economic sector association, or a legal consultant or a environmental legislation software service company.

Adoption of ISO 27001

1. We have been told by a client (a bank) that we need to become ISO27001 accredited as a company to meet their security standards.
But we are only a small organisation and do not have in-house IT people.
Would you recommend we contract an IT consultant for some time and use your framework?

First is important to note that:

• ISO 27001 was designed to be applicable to organizations of any size and industry, so even if you are a small organization ISO 27001 can help you
•  Information security goes much beyond the IT environment (you have to handle information security risk related to suppliers, employees, physical documents, etc.)

Regarding the implementation approach, there are three major options:
a) using your own personnel
b) hiring a consultant
c) using a DIY approach with external support

All of them have their advantages and disadvantages, considering time, cost, effort, and preservation of knowledge, and you should consider these factors to decide which approach is best for you.

These articles will provide you further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
• 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

2. How do you work with clients like us? I’m not sure where to start?

Our ISO 27001 Toolkit follows the "DIY with external support" approach, and by which you stated about your business, it is the right solution for you. The templates in the toolkit are 90% completed and you only have to include the information about your organization and the specifics about the controls that will be used.

The templates have lots of comments that will help you including your information. And if you are stuck at any moment in the process, you can contact us through e-mail (there is no limit for how many emails you can send), or schedule online meetings with one of our experts.