Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Documenting the context/objectives/policies
Answer:
There is not a specific format or standard to use for documenting those requirements.
For the context of the organization you can develop a procedure or just conduct a SWOT analysis with the relevant people of your organization. Doing so, you are demonstrating that you have determined the internal and external issues of your organization, since there is not a mandatory document regarding the context of the organization.
For more information about the context of the organization in ISO 9001:2015 you can see these articles:
- How to identify the context of the organization in ISo 9001:2015: https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- ISO 9001:2015 case study: context of the organization aqs a success factor in mannufacturing company: https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
Also you can check our procedure for the context of the organization here - Procedure for determining the context of the organization and interested parties: https://advisera.com/9001academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/
Regarding to the quality policy you can download a free preview here to see an example of how it should look like: https://advisera.com/9001academy/documentation/quality-policy/
You can also see this article about quality policy - How to write a good quality policy: https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/ It contains several tips on how to best develop a quality policy.
In regards to quality objectives, although there is not a common format to use, they must be SMART, that is specific, measurable, achievable, realistic and time-based and also need to have relevance at all levels of the company. Also you should plan how to achieve those quality objectives and record them. You can check this article for more information about quality objectives - How to write good quality objectives: https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
Here you can download a free preview of our template for quality objectives: https://advisera.com/9001academy/documentation/quality-objectives/
For more information about the format of the quality policy/objectives/context of the organization, you can see these materials:
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Controlled and uncontrolled documents
Answer:
Documents relevant to a quality management system (QMS) must be controlled. Controlled documents are approved and reviewed by authorized functions – to avoid documents being issued or changed by anyone.
Changes and current document revision status are identified to avoid unintended use of obsolete versions. Obsolete versions are removed to avoid unintended use.
Controlled documents are available at points of use and are kept legible and readily identifiable.
Documents of external origin considered relevant to the QMS must be controlled: They must be identified, and updated versions kept.
The following material will provide you more information about document control:
· New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
· What does “external documents control” mean in ISO 9001? - htt ps://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/
· Procedure for Document and Record Control - https://advisera.com/9001academy/documentation/procedure-document-record-control/
· - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
· - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Drawing up the context of an organization
Answer:
You can draw up the context of your organization by using the PESTEL technique (political, economic, social, technological, environmental, legislative) for determining external issues. For example:
New legislation can impact the future of your organization (positively or negatively) - Legislative
Positive or negative economic sentiment can influence demand for your organization’s products - Economic
More and more concern from society with the protection of workers can have an impact in your organization’s activities - Social
New materials and new technologies can be used in the manufacturing of your products – Technological
For determining internal issues:
Think about what are the main concerns that recurrently appear on production, or quality or commercial meetings, for example. Downtime? Delivery delays? Absenteeism? Defects?
What are the main opportunities that recurrently appear on the same meetings: Cycle time reducti on? Six sigma projects? New raw materials that increase yield?
The following material will provide you more information about context of an organization:
· Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf · How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
· Free webinar on demand – ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
· - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
· - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
EU GDPR marketing and consent
Answer:
If you want to be able to send newsletters you would need to capture the consent of the data subjects. As far as I know, MailChimp does have such a feature, see https://mailchimp.com/help/collect-consent-with-gdpr-forms/
If you want to find out more about consent and marketing check out our webinar How to handle consents under GDPR https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/ -
Naming master list of records/documents
Answer:
Both documents and records are included within the so called "documented information" in the standard. Documents are referred in ISO 9001:2015 as documented information that needs to be maintained, while records are referred as documented information that needs to be retained. So you can name it as you want, because any term, documented information or documents and records is correct.
For more information about control of documented information in ISO 9001:2015, you can see these materials:
- Article - New approach to document and record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
-Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Risk review
Answer:
ISO 27001 requires risks to be periodically reviewed, or when situations that may impact the business occur, but it is not mandatory to identify new risks or create new risk treatment plan.
However, it is highly unlikely that risks haven’t changed for so long (this situation will very probably call the attention of the certification auditor).
Some issues you have to consider on risk assessment that may trigger new risks are: new products, new technology, change of the location, change of customer profile, change of employees profile, new compan y strategy, etc.
Additionally, the list of threats and vulnerabilities in the link below can help you identify new risks:
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/ -
Determining context, needed or not
Answer:
Determining the internal and external context is required by ISO 9001:2015. What is not mandatory is to have it documented. I think about the context of an organization as a way of thinking about the surroundings, the environment where an organization is operating, to avoid “making castles in the air”, to avoid big plans without keeping the feet on the ground. And to promote a reflection about risks and opportunities for the organization based on internal and external issues.
The following material will provide you more information about context of an organization:
· Case study for ISO 9001:2015 transition in a construction company - https://advisera.com/9001academy/ Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf?t=1493297551317
· How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
· Free webinar on demand – ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
· - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
· - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Start an auditing or consulting career
Answer:
First, you must know and formalize your knowledge of ISO 9001:2015.
Second, you must know good auditing practices.
Third, you must have experience doing internal audits.
Fourth, you must have training to be a lead auditor.
Fifth, you should contact a certification body and ask how you can apply to become a Lead Auditor.
2.What suits me better taking the path of consulting or being an auditor?
Answer:
Either path that you take does not invalidate the other. I believe it even enhances the ability of an auditor to have the experience of a consultant and vice versa. So, you can start as a consultant and internal auditor and then become also lead auditor for one or more certification bodies.
The following material will provide you more information about starting an audit and a consulting career:
How to get new clients for your ISO 9001 consultancy - https://advisera.com/9001academy/blog/2019/03/05/how-to-get-new-clients-for-your-iso-9001-consultancy/
Free webinar on demand – How to sell ISO consulting services - https://advisera.com/9001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/
Enroll for free - ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
Enroll for free - ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
Enroll for free - ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-lead-auditor-course/
- book – ISO Internal Audit: A Plain English Guide – https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Starting a firm providing consultancy services
Answer
You should start by getting clients and projects to ensure a stream of revenue. To win clients and start building a net of contacts and relationships start a blog, participate in conferences, publish technical papers, work as subcontractor for bigger companies.
The following material will provide you more information about starting a consultancy business:
How to get new clients for your ISO 9001 consultancy - https://advisera.com/9001academy/blog/2019/03/05/how-to-get-new-clients-for-your-iso-9001-consultancy/
Free webinar on demand – How to sell ISO consulting services - https://advisera.com/9001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/
Enroll for free - ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Access control policy
Where inside the document: Chapter 3.1 Introduction (first paragraph of the chapter)
What’s my question: The last sentence of the paragraph says: "There should be a procedure for registering users for each system and service.“ It doesn’t sound like a „must“. In that chase the person who is in charge of me says: if it’s not a fact we HAVE to do we won’t do it (and I should delete the passage out of the paragraph). On the other hand this sentence expresses control A.9.2.1 which we definitely need to fulfill. What would the implementation of this sentence look like in general?
Answer:
The fact that this paragraph says "should" and not "must" is because if an organization has too much systems in the ISMS scope, implementing procedures for all of them would be unpractical.
For arguments like the one you suggested, you can perform a risk analysis for specific systems to evaluate the risk of not having a registering procedure for that system. You can either change text of the Access control policy for something like this: "Procedure for registering users for each system and service must be considered based on risks related to each system and service."
For additional information about which documents to develop, please read:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/