Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Liderazgo en la gestión de calidad y medio ambiente
El liderazgo es uno de los requisitos que la organización tiene que demostrar dentro de su SGC y del SGA. Para ello le recomiendo que desde el comiezo presente los beneficios que tiene la implementación de ISO 9001:2015 y de ISO 14001:2015 en los procesos de la organización así como los recursos que van a ser necesarios, no sólo económicos sino de personal para que realmente exista ese compromiso. Puede por ejemplo llevar a cabo una reunión con la dirección en la que realice una presentación con esos beneficios, los recursos y las responsabilidades necesarisas en el proyecto.
Para más información sobre el liderazgo en la gestión de la calidad y medio ambiente puede ver los siguientes materiales:
- Artículo - Cómo cumplir con los nuevos requerimientos de liderazgo en la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-cumplir-con-los-nuevos-requerimientos-de-liderazgo-en-la-iso-90012015/
- Artículo - Seis beneficios clave de la implementación de ISO 9001: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/seis-beneficios-clave-de-la-implementacion-de-iso-9001/
- Artículo - Seis beneficios clave de la ISO 14001: https://advisera.com/14001academy/es/knowledgebase/6-beneficios-clave-de-la-iso-14001/
- Informe - How can ISO 9001 help your business grow: https://info.advisera.com/9001academy/free-download/how-can-iso-9001-help-your-business-grow
- Informe - How can ISO 14001 help your business grow: https://info.advisera.com/14001academy/free-download/how-can-iso-14001-help-your-business-grow
- Presentación - Why ISO 9001:2015 awareness presentation: https://info.advisera.com/9001academy/free-download/why-iso-9001-2015-awareness-presentation
- Presentación - Why ISO 14001:2015 awareness presentation: https://info.advisera.com/14001academy/free-download/why-iso-14001-awareness-presentation
- Curso gratuito - Fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
-
ISO 27001 documentation
ISO 27001 does not prescribe how documentation must be elaborated, so organizations can develop them the way it best suits their needs.
The main criteria to decide to merge documents or not are if they have similar purposes and if by merging them they would not become a document too big to understand and read. So, in this particular case, if your single document does not become too big to use and manage it may be best to merge them, so you have fewer documents to manage in your ISMS.
These articles will provide you a further explanation about developing policies:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
-
ISMS audit results for ISAE 3402 Type II Audit/Report
We're not experts in this field, but in general ISAE3402 Type II Audit/Report (SOC 2) reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy, and considering the ISMS scope is related to the scope of the ISA3402 report, it seems perfectly possible to use ISMS outputs to your ISA3402 report.
The ISMS provides a framework for implementation, operation, and improvement of information security, while ISA3402 is a verification that implemented measures are working as expected.
This information (from the official site of American Institute of CPAs) about SOC 2 and ISO 27001 can be interesting for you: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/othermapping/trust-services-map-to-iso-27001.xlsx
-
ISMS operation before certification
This timing is different from one certification body to another - some certification bodies allow you to go for the certification after you finish the internal audit, management review, and close most of your corrective actions; others require a 3 months period of ISMS operation before you can start the certification process.
So the point is - you should ask for quotes from a couple of certification bodies, and ask them to specify their requirements.
These articles will help you:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/27001academy/blog/2015/06/22/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
-
Risk Assessment
1. We are preparing this table for the first time. When listing an asset, is it ok to use a generic category for the asset so that it includes multiple real assets, or must each real asset be listed individually? For example, if I have 10 desktop computers, must each be listed separately or can I make one entry for "desktop computer" assuming the risks are the same for all 10?
ISO 27001 does not prescribe how to perform risk assessment, only that it must be performed, so organizations are free to perform it the way it better suits them.
In fact, grouping assets with similar risks in a single category, as you exemplified, is a common practice, and it is perfectly acceptable by certification auditors.
Please note that included in your toolkit you have access to a video tutorial that can help you fill in the risk assessment table, presenting examples with real data.
My second question is about the existing control column. Is it ok to list a preventative measure that has not been documented in a policy, or must it be an explicit control that is documented? For example, if I have a server that is vulnerable to power failure, can I list the existing control simply as "the server is plugged into a UPS" or must I site a policy document that indicates all servers must be plugged into a UPS? Again, this is the first time this document is being written, and we understand that we will need documented controls for the Risk Treatment Table.
As long as the control is implemented, there is no problem in mentioning it in the existing control column in the risk assessment table, even if it is not documented at the moment the risk assessment was performed.
Please note that ISO 27001 does not require you to write documents for each and every control. Only some controls will need to be documented later on as part of your ISO 27001 implementation - see the PDF document "List of documents" in the root folder of your toolkit to see which documents (and their related controls) need to be written down.
For further information, see:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Audit scope
Having AS9100 scope for one aerospace product line and ISO 9001 scope for other parts of your organization is an acceptable thing to do, and I understand why you would want to do so. Just ensure you talk to your certification body about the scope change.
-
Internal and external factors and risk based thinking
Examples of internal issues include: organizational structure, strategic direction, capabilities of employees, poor customer satisfaction, obsolete equipment, organizational culture, contractual agreements, loss of key personnel, etc
Examples of external issues can be: oil price changes, political stability, changes in trade agreements, changes in exchange rates, technology shifts, loss of main supplier, changes in laws and regulations, etc.
Examples of risks: Key supplier fails because it goes bankupt, limited raw materials available due to natural disaster, employee turnover is high, etc.
The following material will provide you more information about the context of the organization and risk based thinking:
- How to identify the context of the organization in ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/ - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Please check this free webinar on demand - Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 9001 in the service industry
All elements of ISO 9001 are applicable in the service industry. ISO 9001 is written in a language to make it applicable both to product production or to service provision.
You can find more information about ISO 9001 implementation in the following links:
- What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Managing Production and Service Provision using ISO 9001 - https://advisera.com/9001academy/blog/2017/11/21/managing-production-and-service-provision-using-iso-9001/
- Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 13485 query
Can you please advise what does a face mask with CE 0197 and ISO 13485 carries what correspondent to what BFC etc?
-
Standard making process
You can find the story of ISO 9001 in this article - The history and future of the ISO 9000 series of standards - https://advisera.com/9001academy/blog/2019/04/15/history-of-the-iso-9000-series-of-standards-and-what-to-expect-next/ and the process of developing ISO standards in this article from ISO - Stages and Resources for Standards Development - https://www.iso.org/stages-and-resources-for-standards-development.html