Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Coding ISO 9001 documents

    There is no universal rule to follow when coding ISO documents.

    I can only tell you about my practice. 

    ISO 9001:2015 invites us to follow the process approach. So, I model how the quality management system works, as a set of interrelated processes, and I code each process with a number and a verb+noun. Like:

    1.Win order

    2.Buy material

    3.Provide service

    4.Develop new service

    5.Install service

    Now I use that numbering as the basis for coding the documentation. Like, for example:

    PD1.0 – Process Description 1 version 0.
    Any work instruction related with Process Description 1 is coded as WI.1.1; WI 1.2; …

    Forms, I code them with a serial number.

    The following material will provide you information about the document control:

    - ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
    - ISO 9001 blog – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
    - Free webinar on demand - Free webinar – How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/
    - Free online training ISO 9001:2015 Internal Auditor Course
    https://advisera.com/training/iso-9001-internal-auditor-course/  
    - Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
     

  • Internal Audits

    You can have one Internal Audit Report, you just need to have different audits for all three types of audits. The manufacturing process is not the same as product audit, in product audit you are auditing the product itself against specification you have.

     

  • Data subjects’ consent in a mobile app

    The Regulation requires Privacy Notices to be concise, transparent, intelligible and easily accessible. The Regulation should standardize the content of your privacy notices, it is likely that they will still need to be translated into local languages if they are directed at a particular jurisdiction. In particular, it is hard to see how your notice can be “accessible” if it is in a language the individual does not understand. Similarly, in some Member States such as France, the use of a local language for consumers and employees is mandatory under consumer protection and employment law.

    If you want to find out more about privacy notices check out this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/)

     

  • FOI legislation

    Some of the documents in the Toolkit are meant to be public so there are no IPR issues here if the legal entity is bound by statutory requirements of transparency to make them public. The same goes for the other documents if there is a statutory legal requirement to make them available in certain cases.

  • Incident response plan

    To build an Incident Response Plan you should consider the following information:
    - Name, job title and contact information of personnel required to handle specific incidents (e.g., system/network administrator for IT-related incidents, facilities manager for premises related incidents, etc.).
    - Which external parties should be contacted (e.g., customers, partners, media, public services/authorities, etc.), in which situation, through which communication channel (e.g., by phone, e-mail, press conference, etc.) and by whom.
    - Types of incidents that should be handled by the plan (e.g., fire, premises evacuation, service failure, etc.)
    - Details on how to treat each of the identified incident (e.g., for fire, summon the fire brigade, start premise evacuation, call fire department, etc.)

    To see how an incident response plan looks like, please see this free demo: 
    - Incident Response Plan https://advisera.com/27001academy/documentation/incident-response-plan/

    These articles will provide you further explanation about incident management and response plan:
    - How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
    - How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/

    These materials will also help you regarding incident management and response plan:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Writing a business continuity plan according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/

  • Risk and opportunities in QMS

    Is it required to identify risk and opportunities for each process in QMS?

    Answer:

    Short and straight answer: no.

    More detailed answer: It is not mandatory, but I bet that all organizations determine risks and opportunities in every process, even without being aware that they are doing so. For example, why do organizations:

    • Evaluate training effectiveness?
    • Select people that they want to admit?
    • Define authorities to issue orders to suppliers?
    • Order supplies before they are out of stock?
    • Control quality of supplies at reception? 
    • Review and approve customers’ orders? 
    • Control production process and product/service quality? 
    • Control design and development projects? 

    Behind each of those activities is a risk that organizations want to prevent.

    Is it required to identify issues, interested parties and associated risks for each process or department?

    Answer:

    Short and straight answer: no.

    Normally, organizations when determining issues and interested parties think more broadly, they consider the whole organization. For example, if a raise in trade barriers affects your organization, or if a new regulation makes part of your product range obsolete, that’s not a process or department issue. What happens is that when your organization consider the issues determined in clause 4.1 and what is relevant for interested parties, determined in clause 4.2, you determine another kind of risks. For example, loss of market share due to trade barriers and more demanding regulatory requirements. 

    The following material will provide you information about the risk-based approach, context and interested parties:

    - ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
    How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
    How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
    - ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/  
    - Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

  • ISO 45001 requirement for Internal Audit

    The ISO 45001:2018 standard does not dictate that you need to be certified in ISO 45001 to conduct internal audits, however the standard does state that you need to identify the competencies for internal auditors, as with all other jobs in yoru organization. These competencies should certainly include knowledge of the ISO 45001 standard and how it applies to the organization, but certifiction to the standard is not a requirement.

     

    To find out more about the competencies of auditors for ISO 45001, see the article: What competences should an ISO 45001 internal auditor have?, https://advisera.com/45001academy/blog/2019/10/31/iso-45001-internal-auditor-what-competences-are-needed/

     

     

  • Template content

    I'm assuming you are referring to the whole table in the mentioned section because it is not very useful without the column containing the record name. 

    Considering that, please note that section 4. "Managing records kept on the basis of this document" appears in templates when it is required some sort of evidence to be recorded as proof that a required activity was performed.
    Our templates suggest the minimum records you should keep as evidence, but depending on your scenario you may include more records.
    If at the moment of document implementation you do not have the required record, then you must start to create the record when performing the activity, or you will be under the risk of a non-compliance by not having proper records.

    This article will provide you further explanation about record management:
    - Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

    This material will also help you regarding record management:
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Performing risk assessment and risk treatment

    General steps for risk assessment and treatment are:

    • Risk identification (i.e., identification of elements that compose the risk, and already implemented controls)
    • Risk analysis (i.e., the definition of risk value, considering any already implemented controls)
    • Risk evaluation (i.e., comparing the risk value to risk acceptance criteria to decide if additional treatment is required)
    • Risk treatment (i.e., defining which treatment is to be applied, and its effect on the risk)

    Considering your scenario, and the approach asset-threat-vulnerability, we would have as an example:
    - Risk identification: assets would be any power dependable equipment (e.g., servers, desktops, routers, etc.), threat (power failure), vulnerability (lack of power generator), and implemented control (UPS)
    - Risk analysis: without any emergency power supply, your operations will run as long as the charges of your UPSs before normal power supply is recovered, so the risk of operational disruption will increase with time (i.e., you have to consider how long your UPSs will last and how long it will be necessary to normal power supply to be reestablished to value the risk).
    - Risk evaluation: considering your risk evaluation criteria you can decide how to treat (e.g., mitigate, transfer, accept, or avoid)
    - Risk treatment: for mitigation: you may decide to keep the power supply, for transfer you can decide to operate in a facility physically maintained by a third party, or you can do nothing and absorb the impact if the risk occurs.

    Please note that this analysis is valid only for this scenario. For example, if the asset to be removed is a notebook, you must take other considerations to take into account, like the information stored in the notebook.

    This material will provide you further explanation about risk assessment and treatment:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding risk assessment and treatment:
    - Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • ISO 27001 - what to do after certification

    1. Just a quick question. After you go through all the steps in the ISO27001, and after you get the recertification, do you need to redo a risk assessment every year? Or do you just follow-up on the risks?

    For ISO 27001, it is mandatory that risk assessment be performed at planned intervals, or when significant changes (i.e., related to defined criteria to perform risk assessment) are proposed or occur. Considering that, you cannot just follow-up on identified risks, but you have to perform at least one risk assessment between the audits planned by your certification body. For example, if your surveillance audits are annual, then you have to perform at least one risk assessment per year.

    2. And risk-wise, do you do a threat modeling/profiling to better capture risks or what would you recommend?

    Threat modeling/profiling is a good approach to help identify risks, but please note it is not mandatory for ISO 27001, so you should consider the costs and benefits of such approach for each risk assessment you perform (e.g., for a big and complex risk assessment it may be useful, but for a smaller scope of risk assessment of a simple brainstorm technique may be simpler and obtain quite good results).

    3. And finally, what would you recommend to do yearly (and plan yearly) so that the certificate is kept in good health? Thank you very much in advance, any help is indeed greatly appreciated.

    One of the main advantages of a management system is that it already defines what must be done to keep the system up and running. The main points to be performed are:
    - risk assessment and treatment
    - awareness and training
    - monitoring, measurement, analysis, and evaluation of controls and security objectives
    - internal audit
    - management review

    By performing these activities, you will be aware of which corrections and improvements are needed and the priority they need to have to ensure the ISMS is continuously compliant and achieving its objectives.

    These articles will provide you further explanation about these topics:
    - How to maintain the ISMS after the certification https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/

    - How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
    - How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
    - Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
Page 471-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +