Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Starting as QMS implementation consultant
Answer:
If you want to become an ISO 9001 implementer it is important that you acquire two competencies:
Learn about ISO 9001:2015, the reference standard to develop a quality management system;
Learn about good implementation practices.
The following materials will provide you more information and help you in becoming an ISO 9001:2015 implementer:
- Article – What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
- Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
- ISO 9001 Implementation diagram - Download a complimentary checklist (PDF) - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
- Clause-by-clause explanation of ISO 9001:2015 - Download a complimentary white paper (PDF) - https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015"
- Free webinar – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free in the course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Enroll for free in the course - ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- If you need help or want to develop documentation faster, check - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 27001 and third party data risk
Answer:
ISO 27001 can be used to prevent third party data risk by means of:
- Identification of relevant data risks imposed by third parties with access to information
- Definition of proper treatment options and controls to reduce risks to acceptable levels
- Establishment of contracts or legal agreements including clauses to enforce the application of previously defined controls (for third-parties authorized to access information assets)
These articles will provide you further explanation about preventing third party data risk:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
This last article also covers conditions for third-parties working for the organization. -
Procedure for commercial activities
Answer:
ISO 9001:2015 has no mandatory procedures. Please check clause 4.4.2 a). It is up to each organization to decide which procedures are needed to support operations.
Most organizations decide to develop procedures to describe how processes should be performed, and work instructions to describe how specific activities should be done.
A commercial procedure could be one that describes how requests for quotation are received, treated and proposals elaborated, approved, sent, negotiated until an agreement is reached.
The following material will provide you more information about commercial activities:
Article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
ISO 9001 document template: Sales Procedure - https://advisera.com/9001academy/documentation/sales-procedure/
[free course] ISO 9001:2015 Foundations Course - https://train ing.advisera.com/course/iso-90012015-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Not following the PDCA cycle?
Answer:
The PDCA cycle is embedded in the way ISO 14001 was written. If someone does not follow the PDCA cycle it will, most likely, be inefficient and ineffective.
Following the PDCA cycle is a way of trying to avoid a situation where something not needed is done. The PDCA cycle help us start by where action is needed. If an organization does not follow the PDCA cycle it can do a lot of work, use precious resources, and getting progress in areas where there is no priority for change.
Following the PDCA cycle is a way of promoting continuous improvement because the end of a cycle can be the start of the next one.
The following material will provide you more information about the PDCA cycle:
Article - Plan-Do-Check-Act in the ISO 14001 standard - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/plan-do-check-act-in-the-iso-14001-standard/
Enroll for free in this course – ISO 14001:2015 Foundations Course - https://training.adviser a.com/course/iso-14001-foundations-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ -
Scope statement detail
Answer:
First, you can go to an internet search engine and look for "environmental management system certificate textile" or “environmental management system certificate knit garments" to see several real life examples of environmental management systems’ certificates stating their scope.
You can see that some are very general "manufacturing of garments" and others are very detailed.
Second, your proposal goes into the more detailed field and I believe there is no problem with that.
By the way if your organization has more than one location, some certification bodies require to identify the applicable location in the scope statement.
The following material will provide you more information about scope:
Article - How to determine the scope of the EMS according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/02/01/how-to-determine-the-scope-of-the-ems-according-to-iso-140012015/
Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ -
Supplier evaluation
Answer:
For supplier evaluation I suggest you to take a look at these free demos to verify if they can fulfill your needs:
- Procedure for Purchasing and Evaluation of Suppliers https://advisera.com/9001academy/documentation/procedure-purchasing-evaluation-suppliers/
- Checklist for Evaluation of Suppliers https://advisera.com/9001academy/documentation/appendix-1-checklist-evaluation-suppliers/
Although these templates were created for a Quality Management System, they also can be used for an ISO 27001 ISMS, but please note that ISO 9001 supplier evaluation does not cover information security aspects. For that I suggest you work these templates together with the Supplier Security Policy and Security Clauses for Suppliers and Partners, included in your toolkit on folder 08 Annex A Security Controls A.15 Supplier Relationships
These articles will provide you further explanation about supplier evaluation:
- How to evaluate supplier perfor mance according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/ -
PCI QSA certification and ISO 27001 LA course
We received this question:
>The response does not answer my question. The PCI QSA requirements stipulate that, in order to qualify for QSA, a candidate must hold certifications from each of two lists: a list of security certifications and a list of auditor certifications. The list of auditor certifications includes ISO 27001 Lead Auditor.
>Would taking this course and passing the exam satisfy the requirement for an auditor certification as stipulated by the PCI QSA prerequisites?
Answer:
First of all, sorry for this misunderstanding.
Our ISO 27001 Lead Auditor course is accredited by Exemplar Global (formerly known as RABQSA), so once approved in the final exam the issued ISO 27001 Lead Auditor certificate can be used to fulfill the related prerequisite to your path to become PCI QSA. -
ISO 27001 - Policy for permitted use / Policy for information transfer
The policy for permitted use contains the record of permitted communication channels. The same record I already added to the policy for information transfer. The policy for permitted use refers to the other policy, which contains the record. In my opinion I would be able to delete the record in the policy for permitted use (if it’s already in the policy for information transfer). Is that correct?
Answer: Please note that section 3.6 of the Policy for permitted use (which refers to information transfer) must be kept only if you do not use the Policy for information transfer. In case the Policy for information transfer is a separated document you can delete section 3.6 and this related record from the Policy for permitted use. This way information about information transfer will be only in one document, minimizing risks of conflicting information. -
Test requirements and ISO 9001
Answer:
ISO 9001:2015 considers tests requirements for:
Approval of new products and services performance (clause 8.3.4)
Approval of materials and services acquired to external providers (clause 8.4.2)
Approval of final product or service (clause 8.6)
The following material will provide you information about test requirements:
ISO 9001: Requirements for the release of the product or service - https://advisera.com/9001academy/blog/2017/03/28/iso-9001-requirements-for-the-release-of-the-product-or-service/
The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
Enroll for free in this course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Policy users
Answer: Please note that "organizational units for information and communication technology" is only an example to consider for users of this document. You can change it for whatever users you see are relevant for your organization.
2 - Should the policy not be relevant to all employees of the company? Especially when the type of information (for which the communication channel will be defined) represent all assets of the organization? (Means the assets we chose for the risk assessment). So far I made a matrix about the allowed communication channels depending on the information type.
Answer: Please also note that for ISO 27001 this policy covers external parts and electronic communication, so for employees that do not use electronic communication nor have contact with external par ts this policy would have no sense for them. Of course, if these scenarios do not occur in your organization you can state that this policy is applicable to all your employees.