Search results

Risk and opportunities

Let us start with ISO 9000:2015 risk definition.

risk = effect of uncertainty

It's important to higlight the word "uncertainty". Something that we cannot control, something that it is outside of our level of control.

And an effect is a deviation from the expected — positive or negative.

So, one can say that risk is a deviation from the expected (positive or negative) resulting from a trigger event that we cannot control. By the way, the ability to control the trigger event is what separates a positive risk from an improvement opportunity.

ISO 9001:2015 about risks mentions: risks and opportunities related with the context of the organization; risks and opportunities related with products and services and risks and opportunities related with processes.

What are we talking about when we talk about "the expected"? What are the expected results of a Purchasing process or of a Production process? Its objectives.

What are the expected results of products and services? The ability to comply with specifications, orders or contracts.

The following material will provide you more information about risks and opportunities:

- How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Please check this free webinar on demand - Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

QMS implementation

I recommend that a project team and project leader be determined. Perhaps our ISO 9001:2015 Lead Implementer Course could be of help because it has two parts (the first one is about ISO 9001:2015 foundations training – the project leader and some other team members must have some knowledge about the quality management standard – the second one is about good implementation practices) - https://advisera.com/training/iso-9001-lead-implementer-course/ 
After training, your team can perform a gap analysis to evaluate what is missing in your organization’s present practice. From there your project team can develop an implementation plan. I develop implementation plans with two main vectors for action: the top management avenue (with quality policy and objectives, action plans and context analysis); the process approach avenue where your project team should use the process approach and develop a model of how your organization work, and can be seen, as a set of processes. With that information, you can develop a project plan for the implementation (what is to be done, by whom, until when). ISO 9001:2015 no longer mandates the use of procedures but almost all organizations develop some kind of procedures in order to standardize practices.
Documenting procedures is taking pictures of how the organization work today. But your organization’s top management look into the future and want a better organization. For that purpose, they develop a quality policy, quality objectives and action plans to transform today’s organization in the future’s organization.
After procedures’ development and implementation perform an internal audit and then a management review.

The following material will provide you more information about implementation:

- Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
- ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
- Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- How long does it take to implement an ISO 9001-based QMS? - https://advisera.com/9001academy/blog/2016/07/05/how-long-does-it-take-to-implement-an-iso-9001-based-qms/
- Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
 

Quality Management Manual design

ISO 9001:2015 no longer requires the existence of a quality manual. So, organizations are free to decide which content they feel is useful.

I still recommend that organizations should develop a quality manual. I always think of a Quality Manual as a kind of identity card of an organization. So, I design Quality Manuals that answer questions like:

- Who are we? (picture of organization building and group photo of everybody working in the company)
- What do we do? (pictures of products or services being provided, the scope of the system and reference to any non-applicability of a clause)
- What are our values and commitments? (quality policy)
- Whom do we work for? (customers and other relevant interested parties)
- How do we work? (map of interrelated processes)
- Table with relevant documents for the quality management system

The following material will provide you more information about Quality Manuals:

- Article – The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
- Article - Writing a short Quality Manual - https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Documentation maintenance

There is no definitive timeline given for document retention in AS9100, since this will be different from document to document. You need to determine the retention or each document you create, with information coming from customer or legal requirements. For instance, contracts should tell you how long to keep records for that contract, and there are many aviation requirements to keep records for the lifetime of the aircraft. Whereas, some countries have a seven-year retention for financial documents. If you have no legal or contractual requirements telling you how long to keep a specific record, such as older versions of procedures that you have changed, then it is up to you to determine a retention time (we suggest 3 years)

You can find out more about the new documentation requirements in this article; A new approach to document and record control in AS9100, https://advisera.com/9100academy/knowledgebase/new-approach-to-document-and-record-control-in-as9100/

IATF 16949 Certification

I am assuming that you are referring to ISO 9001 certification. Congratulation on certification!

There is no restriction prior to IATF certification, just make sure you are aligned with all its requirements. 

For more information, take a look at our article: ISO 9001 vs IATF 16949 what is the difference: https://advisera.com/16949academy/blog/2019/11/19/iso-9001-vs-iatf-16949-what-is-the-difference/  

Article Checklist of IATF 16949:2016 implementation steps, also, may help:

https://advisera.com/16949academy/knowledgebase/checklist-of-iatf-16949-2016-implementation-steps/

Documenting procedures

No, ISO 9001:2015 has no mandatory requirements about documented procedures. Even about work instructions or standard operating procedures, please check ISO 9001:2015 clause 4.4.2 where you can see that each organization has the authority to determine if a particular documented procedure or instruction is needed.

The following material will provide you information about required documentation:

- ISO 9001 – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Acceptable Exclusion

ISO 9001:2015 no longer uses the word “exclusion”. 

Does this mean that all clauses in the standard apply to an organization's quality management system (QMS)? No!

ISO 9001:2015 abandoned the word exclusion but introduced the word "applicability". Please check Annex A5 of ISO 9001:2015.

An organization can decide that a particular clause is not applicable if it is not relevant within its QMS scope. Please check slides 17 and 18 (one about tailoring the scope and the other about applicability) in this free webinar on demand - ISO 9001:2015 clause 4 (Context of the organization, interested parties and scope) –https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/

Obtaining management support

To obtain support from top management to implement ISO 27001/ISO 22301, it is very important to show the benefits of standard's implementation, which basically are:
- improvement of marketing edge
- decrease of costs with incidents
- decrease of effort to comply with legal requirements
- improvement of internal organization

This article can provide additional information: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

This free webinar will help you to know more about the benefits of ISO 27001:
- ISO 27001 benefits: How to obtain management support https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/

Segregation of duties, cyber security and business size

1. I need just a document on segregation of duties with regards to Management of IT and IT Security?

 In case the segregation of duties is needed, our recommended approach is to define the segregation in the specific documents where it is required (e.g., policies and procedures), instead of using a single document to centralize the segregation you need. This way people will focus on the specific documents they need to follow, instead to consult multiple documents. This also decreases the administrative effort to manage documents and the risk of information inconsistency.

As an example of segregation of duties directly in the document, I can mention the backup policy, where you can define that one person is responsible for creating backups and another person is responsible for testing them. Another example is the document control procedure, where you can define that one person is responsible for creating documents and another person is responsible for approving them.

For further information, see:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

2. Who is responsible for the drafting of the Cyber Security Management policy?

 ISO 27001 does not prescribe who must elaborate required documents, so you can define any person your organization sees fit, provided he/she has the proper competence to do so (by means of experience, training or acquired knowledge). Considering this specific document, and if you have these roles in your organization, the responsible person may be the information security responsible or the IT responsible.

For further information, see:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

3. What defines a small to medium business the no. of people or geographical or both?

The most general parameters used to define the size of an organization are number of employees and its complexity, which can be evaluated by items like its internal processes and geographical distribution (e.g., sometimes an organization has few employees, but if they are working from remote locations, it is more complex to manage than an organization with more employees that work in the same location).

For the purposes of our toolkit, it was developed considering small to medium business companies up to 500 employees.

Documenting information

If your current documentation fulfills the requirements from clause 7.5 (e.g., documents are identified, reviewed and approved, protected, etc.), then you do not need to create additional documents with the same information. And if your current documentation does not fulfill clause 7.5 requirements, normally is more productive to implement the requirements in this documentation than creating new documents

This article will provide you further explanation about document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/