Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Guest
1. I am having trouble finding out how these two documents are connected (are both needed?) 11.A.8.1_Inventory_of_Assets_Integrated 07.1_Appendix_1_Risk_Assessment_Table_Integrated In inventory of assets.
The Risk assessment table is a mandatory document if you want to be certified against ISO 27001, while the inventory of assets is needed only if control A.8.1.1 (Inventory of assets) is considered applicable to your ISMS.
The relation between these documents is that all assets identified in the Risk assessment table must be copied to the Inventory of assets provided the control A.8.1.1 is considered applicable.
2. How do we know how to assess "Impact/Consequences"? What do we base that rating on?
The way to perform the assessment of impact is defined in the Risk Assessment and Risk Treatment Methodology, located on folder 10 Risk Assessment and Risk Treatment of your toolkit.
The assessment of Impact/Consequences is based on the impact of the loss of confidentiality, integrity or availability of information.
By the way, included with your toolkit you have access to a video tutorial that can guide you on how to fill in the Risk Assessment table, presenting examples with real data.
This article also can be interesting for you “How to assess consequences and likelihood in ISO 27001 risk analysis”: https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
3. And how do we transfer that rating to the Risk Assessment table
Once you identify the impact/consequence level, which range is defined in the Risk Assessment and Risk Treatment Methodology, you must input this value in column G of the Risk assessment table.
You also can see how this is performed in the video tutorial mentioned in answer 2.
I am not sure I understand what your external auditor recommends.
ISO 9001:2015 does not allow exclusions period. However, if one particular clause is not applicable within the quality management system scope you do not exclude it, you just state that it is not applicable and explain why. Please check an example in this free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
Check also this article - What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
The duration would also be influenced by factors like the type and category of personal data processed if the data is shared with third parties processors etc.
My guess this would take around 3 to 6 months provided you are given full support from the management of the company.
Consider also that only publishing some policies and procedures does not mean that an organization is compliant with the EU GDPR you also need the processes to back up the documents.
I must admit that your previous message made me suspect of that.
Yes, not all occurring non-conformities require a corrective action.
Yes, all occurring non-conformities need to be recorded. If your quality management system internal rules required that non-conformities be recorded on a corrective action request, you have to do it and copy the corrective action from the first one.
Consider the possibility of simplifying your quality management system internal rules by separating recording of non-conformities from recording of corrective actions. Please consider this article - ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
Event is defined as a change of state. E.g. Port was up, now – it's down / server was alive, now it's not / door were closed, now they are open / etc. Change of state refers to configuration item (CI) or service and it helps to (proactively) maintain services and related CIs. I'm sure you got some kind of alert on your screen -> that's event. Event management process manages events throughout their lifecycle (from when they are raised until they are resolved).
Incident is unplanned interruption (or reduction in quality) of an IT service. Incident management is a process which handles (record, diagnose, resolve) incidents throughout their lifecycle.
Problem is cause of one or more incidents, where root cause of the problem is (usually) not known when problem is raised. Problem management is responsible to find root cause of (one or more) incident.
Here are articles that can help you further:
Incident – „Incident Management in ITIL – solid foundations of operational processes“ https://advisera.com/20000academy/blog/2013/05/21/incident-management-itil-solid-foundations-operational-processes/
Event – „ITIL Event Management – Entry point of Service Operation“ https://advisera.com/20000academy/blog/2015/03/10/itil-event-management-entry-point-of-service-operation/
Problem – „ITIL and ISO 20000 Problem Management – Organizing for problem resolution“ https://advisera.com/20000academy/blog/2014/07/29/itil-iso-20000-problem-management-organizing-problem-resolution/
And, free webinar „ITIL Incident Management Process Demystified“ https://advisera.com/20000academy/webinar/itil-incident-management-process-demystified-free-webinar-on-demand/
You can see Service Desk as a „window“ to your organization, that's frontline towards your clients and users. Here is more about Service Desk – „Service Desk: Single point of contact“ https://advisera.com/20000academy/knowledgebase/service-desk-single-point-contact/
By infrastructure operation center, I assume you mean IT Operations (at least, according to ITIL). They perform daily activities (contrary to Service Desk who is actively involved in incident resolution).
Learn more in this article „IT Operations Management Function in ITIL“ https://advisera.com/20000academy/knowledgebase/operations-management-function-itil/
En esta versión de la norma, ISO 9001:2015 no es necesario crear un Manual de Calidad, sino que es la propia organización la que decide si escribirlo o no. Muchas veces las empresas deciden conservarlo si han implantado versiones anteriores de la norma ya que sirve como guía para la implementación, sin embargo, no se trata ya de un documento obligatorio.
Aquí puede encontrar más información sobre los documentos obligatorios en ISO 9001:2015:
- Lista de documentos obligatorios requeridos por la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
1. Se tienen que identificar todos los aspectos ambientales de la organización incluso cuando sea en cantidades de generaciones muy pequeñas? Por decir, supongamos que en nuestro proceso generamos acrílicos cada que se reemplazan los pizarrones (una vez cada 2 o 3 años) lo ideal es identificar que generamos acrílicos con una generación mínima o la identificación de aspectos ambientales no es tan especifica?
Lo importante es realmente el impacto que vayan a tener esos aspectos ambientales en el medio ambiente. Por ejemplo si se trata de una cantidad muy pequeña pero es una sustancia muy nociva para el medio ambiente aunque la frecuencia sea pequeña va a ser necesario tenerlo en cuenta. Tiene que fijarse en los criterios que establece su organización para determinar si el aspecto ambiental es significativo o no. Es cierto que no es necesario evaluar absolutamente todos los aspectos ambientales, sino aquellos que tienen el potencial de generar un impacto significativo en el medio ambiente.
2. Sobre los aspectos ambientales regulados por alguna dependencia gubernamental mencionas que se vuelven aspectos ambientales significativos y de estos debemos tener un control; mi duda es que si para estos tenemos que generar un objetivo ambiental con métrico como tal? Ya ves que en la norma en el punto 6.2.1 menciona que la organización debe establecer objetivos ambientales teniendo en cuenta los aspectos ambientales significativos de la organización.
Efectivamente debe tener en cuenta todos los aspectos ambientales significativos a la hora de planificar sus objetivos ambientales. incluidos los que establecen las entidades gubernamentales, como bien indica en su pregunta. A la hora de su medición puede establecer los llamados KPIs, indicadores clave de desempeño para saber si se han alcanzado tales objetivos
Para más información sobre los aspectos ambientales en ISO 14001:2015 vea los siguientes materiales:
- Artículo - Environmental aspect indetification and classification: https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
- Artículo - 4 steps in identification and evaluatin of environmental aspects: https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- Catalogue of environmental aspects: https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/- Libro – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- Curso gratuito en línea – Fundamentos de la norma ISO 14001:2015 : https://advisera.com/training/es/course/curso-fundamentos-iso-14001/
Only if your organization manufactures in, or exports to, the European Union, will RoHS will be a compliance obligation to be met by your organization or by your representative in the European Union.
The following material will provide you more information about compliance obligations:
Article - Compliance requirements according to ISO 14001:2015 – What has changed? - https://advisera.com/14001academy/blog/2015/09/14/compliance-requirements-according-to-iso-140012015-what-has-changed/
Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
A Compliance Audit is used to conclude if within the scope of an audit there is compliance with established standards. So, it answers to the question: are rules being followed?
A System Audit can also be a Compliance Audit if the audit objective is to verify compliance. A System Audit can also be a different kind of audit, like an audit to verify effectiveness. In that case, it answers to the question: are rules helping us in meeting our objectives?
My answer is based on the world of quality management systems. I know that “Systems Audit” is also used for audits used to validate the integrity of information and data stored in information systems.
Consider joining our free course on ISO 9001:2015 - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/The AS9100 Rev D standard includes all of the ISO 9001:2015 requirements with the addition of specific aerospace requirements (and nothing taken away); so, the answer is yes, if you have AS9100 you also have ISO 9001 (and many of the certifications include both standards printed on the certification. You do not need to have a separate QMS for the AS9100, and can integrate these additional requirements into your existing QMS for ISO 9001 and ISO 13485. You are correct, some of the requirements are similar between the two standards as aerospace and medical devices are both highly regulated and might have similar legal restrictions.
If you want a better understanding of the AS9100 Rev D requirements to compare to your QMS, see the whitepaper: Clause-by-clause explanation of AS9100 Rev D, https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d