Search results

Management review

An example of monitoring results are the total downtime of a critical information system and the evaluation would be the explanation of the main causes of reported downtime.

Another example of monitoring results are the results of a vulnerability test and the evaluation would be the explanation of the meaning of the results to the general performance of security controls.

Information like those are important because they help top management to decide whether the ISMS is fulfilling its objectives, which improvements are needed, changes to the scope, approval of the required resources, modification to the main documents (e.g., top-level policies), etc.

This article will provide you further explanation about management review:
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

ISO 27000 definition

First of all, thanks for this feedback.

Before answering your points, it is important to note that the definitions presented in the article are based on ISO 27000 standard, which defines vocabulary for Information Security Management based on ISO 27001. You can see this standard at this link: https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:en

Now analyzing your text:

When Rhand says that, an event has to be related to the possible failure of controls or “compromise of policies” is like saying that an incident is just a lot of events, or that all events are really junior incidents.

I understand that you are referring to this part of the article:

"Information security event: any occurrence related to assets or the environment indicating a possible compromise of policies or failure of controls, or an unmapped situation that can impact security."

Please note that the text refers explicitly to "information security event", not "event". The ISO 27000 defines them differently:
- event: occurrence of, or change in, a know/expected situation (perceive it does not mention the impact or possible impact on security).

So neither the standard and the text do not say that all events are junior incidents.

For me, non-compliance is something, which is not in accordance with a standard or policy.

Please note that for ISO 27000 a nonconformity means not fulfilling a requirement, which also can be related to contractual or legal requirements (which are mandatory), not only standards and policies (which organization decides to follow). So, controls may be performing in accordance with defined standards and policies but you still may have a nonconformity if a contractual clause or law/regulation is not being followed.

QMS FOR SKILLS DEVELOPMENT

If you need to learn about quality management systems for your skills development, I invite you to start with our ISO 9001:2015 Foundations Course. You can enroll for free. During the course you can select a theme and search our blog or our webinars about it, they are free. You can also buy one of our books about ISO 9001

The following material will provide you more information about ISO:

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Free webinars - https://advisera.com/9001academy/webinars/
- Blog - https://advisera.com/9001academy/blog/
- Books about ISO 9001 – https://advisera.com/books/iso-standard/iso-9001/

ISO 14001 requirements

As I mentioned before, information about VW can be found in its “2018 Sustainability Report” (page 34) - https://www.volkswagenag.com/presence/nachhaltigkeit/documents/sustainability-report/2018/Nonfinancial_Report_2018_e.pdf

When it comes to Ford and GM, I remember a quality forum in 2000 where many tier 1 suppliers mentioned that in that day they received letters from GM, Ford, Chrysler, Honda with date to be certified. 

An organization cannot get a Ford Q1 status without being ISO 14001 certified – please check “Ford GRI INDEX 2018/19” (pages 16 and 17) - https://corporate.ford.com/microsites/sustainability-report-2018-19/assets/files/sr18-gri.pdf

In the case of GM I could not find any official document stating what they requested in 2000.

iso27001 LI course with the workshop / which certificate do you provide?

Unfortunately, at this moment our iso27001 LI exam is not accredited, but we are in the accreditation process at this moment. As soon as this process is concluded our customers will be contacted.

All other exams we provide are accredited (ISO 27001 Internal Auditor and ISO 27001 Lead Auditor).

This article will provide you further explanation about ISO 27001 Lead Implementer course:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/

QMS and EFQM model

You can find below my answers to your questions:

1. These are the similarities between an QMS and EFQM model:

- In ISO 9001:2015 we find interested parties while in the EFQM model we have the the similar concept of  stakeholders

- Context of the organization

- Strategic direction

- Risk based thinking

- Performanca evaluation

- Organizational knowledge management

These are the differences:

In the case of EFQM these are requirements not covered by ISO 9001:

- is focused in results of planning, measurement and achievement

- mentions financial performance, which is not covered in ISO 9001

- there is a clear relationship between cause and effect

- includes a detailed assessment and scoring while in ISO 9001 there are auditing requirements, that could be more subjective

In the case of ISO 9001 these are requirements not covered by EFQM model:

-  Internal audit

- Control of documented information 

- Quality improvement covered by: correction and corrective actions, continual improvement, etc.

- Operation requirements, such as operational planning and control, product and service requirements, design and development, control of providers, product and service provision, etc. 

Both the ISO 9001 standard and the EFQM Model rely on this philosophy to develop its operation. However, while ISO 9001 focuses on defining minimum requirements that organizations using this standard must meet, the EFQM Excellence Model aims to achieve perfection, without defining minimum requirements and seeking guide organizations about what aspects are good at and what aspects they can be improved.

2. You can integrate them, however you need to think if that is really worth for your organization, since both seek quality of products and services. 

3. You don´t have to comply with mandatory documentation in the EFQM model as you need to do with ISO 9001:2015. In the EFQM model you need to comply with a Self-Assessment against 9 criteria and your Action Plan. 

Here you can find a list with the mandatory documents and records in ISO 9001:2015 - List of mandatory documents required by ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

4. If you integrate will require some extra effort while if you decide just to go for one model you can focus your quality of products and services in just one direction. See which one benefits your organization most and go for it. EFQM is mostly used for European organizations while ISO 9001:2015 is globally recognized.

For more information about the benefits of ISO 9001:2015, see this article - Six key benefits of ISO 9001 implementationhttps://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/

These materials can help you to understand better ISO 9001:2015 and EFQM model:

- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Adoption of externally acquired reference material

There were no changes in requirements about external documents in the transition from ISO 9001:2008 to ISO 9001:2015. External documents relevant for the quality management system should be identified and controlled. Please see the penultimate paragraph of ISO 9001:2015 clause 7.5.3.2

Determining the relevant interested parties is the first step in determining what kind of external documents can be relevant for your quality management system.

The following material will provide you more information about external documents:

- Article - What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/
- Article - How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

Terminology For machinery and equipment

I am looking for the terminology that would be used when a company is producing machinery and equipment. Can you help

Regulatory requirements under ISO 9001:2015

There is no universal rule, that depends of each country and economic sector.

Some organizations have contracts with law firms, some pay to companies that monitor legislation, some belong to sector associations that perform that service (both for legislation and standards), some belong to groups that work with national standardization bodies and have access to what is being developed and will be applied. Some check the internet daily, monitoring any new output from regulatory bodies.

The following material will provide you information about the external documentation:

- Article - What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Audit evidence

For information about interfaces and integration between ISO 20000 and ISO 27001, I suggest you take a look at this free downloadable material:
- ISO 27001 vs. ISO 20000 matrix https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-20000-matrix

This matrix shows the relationships between clauses of ISO 27001 and ISO 20000, and gives an overview of common requirements of these two standards with tips on how to fulfill them with as little documentation as possible.

This article will provide you further explanation about integrating management systems:
-  How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/