Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
A formal documented QMS
Answer:
ISO 9001 is an international standard for a quality management system. ISO 9001:2015 has some mandatory documents like maintaining a quality policy. ISO 9001:2015 gives a lot of autonomy to organizations to determine which documents are needed (please see clause 4.4.2).
The following materials will provide you more information about documenting a quality management system:
- Article – What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
- List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
- ISO 9001 Implementation diagram - Download a complimentary checklist (PDF) - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
- Clause-by-clause explanation of ISO 9001:2015 - Download a complimentary white paper (PDF) - https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015
- Free webinar – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free in the course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- If you need help or want to develop documentation faster, check - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Cyber attack security controls
Answer:
I'm assuming that your doubt is which standard can provide better guidance in the identification of cyber attack security controls and precaution measures.
Considering that, the standard of choice is the ISO 27001, which provides general recommendations for information security that can be adapted for cyber security.
Regarding definition of responsibilities, business continuity related to ISO 27001 is focused on disaster recovery of IT infrastructur e, so if your organization's needs for business continuity go beyond that (i.e., the potential impacts go beyond information-related issues), probably the responsibility should remain with BCM.
For further information, please see:
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/ -
Templates content for risk assessment and treatment
Answer:
Please note that while risk analysis results are recorded in the Risk Assessment Table template, the defined controls and residual risks are recorded in the Risk Treatment Table template, which can be found at this link: https://advisera.com/27001academy/documentation/risk-treatment-table/
So, you will need both templates to record the results of the risk assessment and treatment.
To see how to completely cover the risk assessment and treatment process I suggest you to take a look at our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
For further information, please see:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment accord ing to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
SoA classification level
Answer:
Because SoA has many information about how the organization approaches information security, it is a sensitive document and access to it should be restricted to personnel that requires it to perform their activities (e.g., top and middle management, and the security officer) and in most cases this does not cover all employees. Considering that, in most classification frameworks the lowest level which has this kind of restriction is the "Restricted" level, but you have to check your own framework to confirm that. You should avoid to use the highest classification level you have because in most scenarios the highest classification level will demand controls that will be too much to protect in the SoA.
For further information see: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Anti-spam regulations
We have received an additional question:
>The GDPR does not directly regulate spam but it places consent as a condition for direct marketing in certain situations?
Answer:
The GDPR establishes the rules around consent and those rules need to be respected whenever using consent as your lawful grounds for sending the advertisement. The GDPR also allows for direct marketing based on legitimate interest.
However the GDPR does not say that direct marketing always constitutes a legitimate interest, and whether your processing is lawful on the basis of legitimate interests depends on the particular circumstances. Some forms of marketing may not be legitimate if they do not comply with other legal or ethical standards or with industry codes of practice. However, as long as the marketing is carried out in compliance with e-privacy laws I mentioned previously and other legal and industry standards, in most cases it is likely that direct marketing is a legitimate interest. -
AS9100: Audit questions
This is a question best asked of your certification body as they will have some better insight into what they can and cannot accept for their own internal rules, however, generally these clauses are not possible to exclude from the QMS. Unless your QMS scope is design only, and you never will build anything, the certification body will need to have something to audit if build and test is part of your scope.
I do understand that you are not yet using these processes as you are still in the design phase, but I believe the certification body will expect you to at least have the plans in place on what will be done for these clauses for your initial build, including having the procedures (clause 8.7 procedure is mandatory) and have identified the format of the required records for these processes. You may not have used them yet, so you will not have records created yet, but having them in their initial stages will be needed.
Of course, it will be understood that these processes are expected to be updated and improved as you begin to use them, but having them in place will be necessary to include build and test in your QMS scope.
You can learn a bit more from this related ISO 9001 article: Understanding product & service provision in ISO 9001, http://advisera.com/9001academy/blog/2014/10/07/understanding-product-service-provision-iso-9001/
-
ISO 45001: Worker involvement in improvement
Answer:
Clause 5.4 d, 9 requires that you consult non-managerial workers on continual improvement of the OHSMS. This entire clause is based on the fact that workers are the most immediate interested parties within your OHSMS as they are directly affected by your efforts to improve OH&S within the workplace. Additionally, continual improvement and involvement of people are two of the main principles behind all of the ISO management system standards, and the best way to identify improvement within the processes is through the use of the people involved.
This requirement is pointing to the need to have workers involved in making the OHSMS better within your company to improve the processes and reduce the incidences of injury or ill health.
For a better understanding of the worker participation and consultation requirements, see the article: How to meet participation and consultation requirements in ISO 45001, https://advisera.com/45001academy/blog/2016/03/16/how-to-meet-participation-and-consultation-requirements-in-iso-45001/ -
ISo 45001 Clause 4.1 & 4.2
Answer:
Clause 4 of Iso 45001:2018 is all about understanding the context of your organization, or in other words what affects your company so that you can determine where and how the rules and polices will be applied. Clause 4.1 asks you to determine internal and external issues that affect your OHSMS, so what issues affect your you ensure a safe workplace. Internal issues could include the level of safety culture within your company and industry. External issues could include a push in your industry to eliminate a certain hazardous chemical, or the issue that a supplier will stop making a product that you use which is the safest product available and needs to be replaced with a more hazardous one.
Clause 4.2 asks you to understand who is interested in your OHSMS and what their needs and expectations are. While workers are identified as interested parties and have the expectation that they will not suffer injury or ill health at work, there are other interested parties who will have needs to be fulfilled. This could include government agencies that have laws in place related to your workplace OH&S,
For a better understanding of interested parties in ISO 45001, see the article: Determining interested parties according to ISO 45001, https://advisera.com/45001academy/blog/2018/03/14/determining-interested-parties-according-to-iso-45001/ -
Comparing environmental performance
Answer:
If both companies are ISO 14001 certified, we can expect that at least both companies comply with environmental legislation and regulation.
If you want to compare their environmental performance, you can ask them their environmental objectives and main indicators and a list of their most relevant environmental impacts. Two companies can comply with the same legislation and yet have very different environmental performances.
Even if those companies are not based in Europe, you can ask them if they have any study or report about their own situation against Best Available Techniques (BAT) in their industry.
There is no requirement in ISO 14001:2015 that states that companies should share that information with interested parties. Your company, as a potential customer can re quest that information and hope for their openness.
The following material will provide you more information about environmental performance:
Article - Environmental performance evaluation - https://advisera.com/14001academy/blog/2015/07/06/environmental-performance-evaluation/
- 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ -
Documents for IATF audit
Answer:
When it comes to IATF audit, the same documents are needed for Die mold shop as for any other audit.
To see a list of mandatory documents for an IATF audit, please read the article:
List of mandatory documents required by IATF 16949:2016
https://advisera.com/16949academy/knowledgebase/list-of-mandatory-documents-required-by-iatf-16949-2016/
Examples of documents that can be used are checklists, production plans, and PPAP, control plans (SPC and APQP), risk analysis (FMEA), records of Measurement system analysis (MSA), preventive and predictive maintenance and similar.
For more about IATF 16949:2016 internal audit, please read article:
IATF 16949 audit types how they affect process improvement
https://advisera.com/16949academy/blog/2017/11/01/iatf-16949-audit-types-how-they-affect-process-improvement/