Search results

La estrategia para certificar una empresa

Lo primero que debe de hacer es contar con el apoyo de la alta dirección, que es quién va a proporcionar los recursos tanto económicos como de personal para llevar a cabo el proyecto de implantación.

Después debe llevar a cabo un análisis de brecha o GAP en su organización para saber con qué requisitos cumple en la actualidad y con cuáles necesita aún cumplir. Aquí puede llevar a cabo ese análisis - Herramienta de análisis de brecha para ISO 9001: https://advisera.com/9001academy/es/herramienta-analisis-de-brecha-iso-9001/

Para que tenga claro cada uno de los requisitos de la norma le recomiendo que lea el siguiente informe gratuito, que le ayudará a entender cada una de las cláusulas de ISO 9001 - Clause by Clause explanation of ISO 9001:2015: https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015

Una vez que tenga esta información sobre los requisitos con los que debe de cumplir puede empezar a escribir un Plan de Proyecto, donde establezca cada uno de los hitos de la implantación del sistema de gestión de calidad, así como los plazos, responsabilidades, etc. Aquí puede descargar un ejemplo gratuito de Plan de Proyecto - Plan de Proyecto para la implementación de ISO 9001: https://info.advisera.com/9001academy/es/descarga-gratuita/plan-de-proyecto-para-la-implementacion-de-iso-9001-ms-word

Tras definir el Plan de Proyecto ya puede empezar a determinar cómo va a llevar a cabo el control de documentos y registros del SGC. Luego ya puede determinar la política y los objectivos de calidad, el alcance del SGC... así hasta llegar a la auditoría interna y la revisión por la dirección. Puedes descargar este Diagrama de Implementación de ISO 9001;2015 que indica todos los pasos en la implementación de ISO 9001:2015: https://info.advisera.com/9001academy/es/descarga-gratuita/diagrama-de-implementacion-iso-90012015

Estos materiales también pueden ayudarle en la implementación de la norma ISO 9001:2015

- Inscríbase gratis en este curso -  Curso de Fundamentos de la norma ISO 9001:2015 - https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

- Libro – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/  

Defining scope of ISO certification

Defining the scope is a management decision, not a technical decision. Look into your organization as a whole. If you can find different groups of customers with very different requirements and expectations, or if you can find different sets of jobs almost independent of the rest of the organization, perhaps your organization can take advantage of certifying just part of it. To certify early, to avoid problems with unorganized customers, to implement ISO 9001 step by step in a complex organization.

For example:

A hospital can decide to certify just the X ray service, and then the blood service, and then …
A manufacturing shoe company can decide to certify just the part of the business that works for uniform shoes and leave out the part that works for fashion

The following material will provide you information about the scope of a quality management system: 

How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope -
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – (where I use the process approach this way) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Transition from ISO 9001:2008 to ISO 9001:2015

Certification is not mandatory. If an organization wants to reap the benefits of implementing and certifying a quality management system - Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/, it has to make the transition from the 2008 version to the 2015 version.

The following material will provide you information about the transition: 

- Infographic: ISO 9001:2015 vs. 2008 revision – What has changed? - https://advisera.com/9001academy/knowledgebase/infographic-iso-90012015-vs-2008-revision-what-has-changed/
- How to make the transition from ISO 9001:2008 revision to the 2015 revision - https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/
- Free webinar – ISO 9001:2015 - How to make the transition from ISO 9001:2008 - https://advisera.com/9001academy/webinar/iso-90012015-how-to-make-the-transition-from-iso-90012008-free-webinar-on-demand/
- Book – (where I use the process approach this way) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Asset Type in the Information Asset Inventory

The reason for not including the processes in the risk assessment methodology and templates is that we have based our risk assessment on the so-called "asset-based approach". This approach is the mainstream in the information security world because it provides the best balance between the precision of results and the amount of effort.

It is not recommended to mix assets with processes because this will only confuse things - the most optimal way is to go with asset-based approach. 

Therefore, you should only use the assets that your processes consist of. 

ISMS Scope

You should include in the scope all assets you control directly - i.e. you would include data for SaaS, or data and application software for IaaS. 

You'll find a more detailed explanation here: Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/ 

Applicability of A.10.1 Cryptographic Controls

If you are referring to SSL certificates, then control A.10.1.1 Policy on the use of cryptographic controls is probably applicable to you, while control A.10.1.2 Key management may not be applicable because you are not handling keys. 

But you primarily need to assess your risks, and analyze requirements to define which controls are applicable and which not. 

Here are a couple of helpful articles:

• How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ 

A6 Internal Organisation

If your question is about if you need to prepare a documentation for data breach, then from the perspective of ISO 27001 you do not need to do it because ISO 27001 does not require such documents. 

Depending on the country/state you are based in, such documents might be required because of local regulations - for example, EU GDPR requires you to have some documents for data breach, see this article: List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/

In this EU GDPR Toolkit you'll find all the required templates: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ 

Clause 5.4 consultation and participation of workers

When discussing consultation and participation of workers in clause 5.4 of ISO 45001, the standard refers to workers’ representatives, where they exist. So, the ISO standard is not dictating that you have workers’ representatives, or how you determine them. The reason for this is that the rules for worker representatives in laws around the world are very different, and you must turn to the local laws if you want a definitive answer on how many worker representatives you need and how you choose them.

If you do not have a legal requirement, and wish to put worker representatives in place anyway, then how you choose them needs to be determined by you, the ISO 45001 standard does not have any requirements around this. A general rule of thumb for setting your own rules would be to ask yourself “How many representatives do we need, and how should they be distributed across departments, so that the consultation of all workers can happen effectively?” Remember, the production department is not the only place with OH&S rules and hazards.

For more on implementing clause 5.4, see the article: How to meet participation and consultation requirements in ISO 45001, https://advisera.com/45001academy/blog/2016/03/16/how-to-meet-participation-and-consultation-requirements-in-iso-45001/

ISO 17025 for internal quality control laboratory

Certainly, we will guide you how to adapt the toolkit for your special circumstances - in the price of the toolkit, we include one-on-one consultations, document review, and unlimited email support - we will tell you which steps to take and what to pay attention to when implementing the standard.

The toolkit is suitable for any testing laboratory that is wanting to implement ISO 17025:2017 and seek accreditation, irrespective of whether they have external customers; or as in your case, are an in-house Quality Control laboratory, where the factory/manufacturing plant is your customer. In some ways it is simpler implementing for an inhouse laboratory, for example, meeting reporting requirements is easier.

Note that while we offer advice on using the ISO 17025 toolkit to implement your management system, as well on how to integrate the toolkit and ISO 17025 with other Management Systems you may have; the scope of the toolkit and our expertise is ISO 17025, not Food Safety (ISO 22000) or HACCP (Hazard Analysis and Critical Control Points) certification.

Here is a detailed description of the toolkit, you can also download the free demo: ISO 17025 Documentation Toolkit https://advisera.com/17025academy/iso-17025-documentation-toolkit/

COBIT, ITIL and ISO27001 comparison

Here are a couple of materials that can help you: 

• How to integrate ISO 27001, COBIT, and NIST https://info.advisera.com/27001academy/free-download/how-to-integrate-iso-27001-cobit-and-nist
• ISO 27001 vs. COBIT: A comparison https://advisera.com/27001academy/blog/2019/05/06/cobit-vs-iso-27001-how-much-do-they-differ/ 
• COBIT, ITIL and ISO 20000 – The main differences https://advisera.com/20000academy/blog/2019/09/25/cobit-vs-itil-vs-iso-20000-a-comparison/