Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Audit standard
Could you suggest me some audit standards where I can improve my knowledge as well I can grow in my career?
Answer:
Considering ISO standards, the standard to be known is the ISO 19011, which provides guidance on auditing management systems. You can find this standard here: https://www.iso.org/standard/70017.html
This article will provide you further explanation about becoming an auditor:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
These articles will provide you further information about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/ -
ISO 27001 certification
First it is important to note that ISO 27002 is not a certifiable standard. The certifiable standard is ISO 27001, and provided that your security program can fulfill all requirements defined on sections 4 to 10 of ISO 27001, you can look for certification.
These articles will provide you further explanation about ISO 27001, ISO 27001 certification and use of control frameworks:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Applying clause 8.5.1
Answer
Let us check every item on that clause:
a) Do you have product specifications that describe features and performance targets?
b) Do you have the necessary monitoring and measuring resources to confirm product quality according to specifications and performance targets?
c) Do you have a process control plan that defines for each manufacturing step what is relevant to control with what frequency and within which limits in the process? (For example, temperature or pressure control). Do you have a process control plan that defines for each manufacturing step what kind of quality control should be done for raw-materials and work-in-progress materials with what frequency and within which limits? (For example, impurity content)
d) Do you have suitable equipment? (Any abnormal rate of breakdowns or lost production time?) Do you have a suitable environment? (If relevant to protect product quality – moisture control, pest control, contamination control, …)
e) Do y ou have enough people in your production process? Are they competent according to your own criteria? Are there any external competency requirements that need to be fulfilled? (For example, in a construction company, a civil engineer may be required)
f) Do you have any relevant production steps where quality cannot be measured after the step? (It is not practical, or it is very expensive) For example, do you need to ensure sterilization of tank? (You need to develop a method to ensure sterilization, then apply method and validate method by making tests. After validation ensure that you apply the method).
g) Determine risks of human error, evaluate potential consequences and implement actions to prevent it. (What Japanese call “poka-yoka”. For example, once I was distracted and started to fill the gas tank of my car. However, he could not do it, the hose did not get in the car, it was too large. It was then that I realized that I had picked the hose from the diesel and my car was on gasoline.)
h) What kind of control is needed during delivery? (No need of release or post-delivery activities
The following material will provide you more information about production control:
- ISO 9001 – Understanding Product & Service Provision in ISO 9001 - https://advisera.com/9001academy/blog/2014/10/07/understanding-product-service-provision-iso-9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Revision and changes
Answer
If you change a form and at the same time you keep the its designation, you should change the revision code. If you don’t do that there is the risk of different people using different versions of the form at the same time. Many years ago, before ISO 9001 implementation, I was quality manager at a company and was discussing by telephone the features of a product with one of our commercial representatives in another country. After some time, we realized that we were using different versions of the product specification. We only find out because, fortunately, each version had text in different colors.
The following material will provide you more information about effectiveness:
- ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://tr aining.advisera.com/course/iso-90012015-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Efficiency and effectiveness
"To track implementation of the strategic plan thorough monitoring and evaluation o the first cycle M &E plan by 2019 is it a good objective
"To Ensure efficient use of resources by measuring effectiveness of the systems by June 2019
Answer
Your organization want to ensure efficient use of resources.
If your organization meets efficiency targets your purpose will be satisfied and your management system will be effective. You see it is because your organization is efficient that the management system will be considered effective not the other way around.
What are the most relevant topics concerning efficiency in your organization? Is it energy per amount produced? Is it man-hours per amount produced? Is it production quantity per hour?
Good objectives will be about energy consumption per amount produced, or man-hours needed per amount produced, or production quantity per hour. If your organization meet its targets for each objective it will be eff icient, and by meeting all objectives it will be effective.
The following material will provide you more information about effectiveness:
- ISO 9001 – Practical tips for measuring your QMS according to ISO 9001:2015 clause 9.1 - https://advisera.com/9001academy/blog/2017/08/29/practical-tips-for-measuring-your-qms-according-to-iso-90012015-clause-9-1/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 9001 vs ISO 22000
Answer
Yes, ISO 9001 is general usage standard, it can be applied in all economic sectors. ISO 22000 is for the food industry.
The following material will provide you more information about the difference between ISO 9001 and ISO 22000:
- ISO 9001 – Similarities and differences between ISO 9001 and ISO 22000 - https://advisera.com/9001academy/blog/2018/11/20/similarities-and-differences-between-iso-9001-and-iso-22000/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Defining good objectives
Answer
I do not consider that proposal as a good objective. ISO 9000:2015 defines objective as a result to be achieved, not as an activity to be performed.
Your organization has a strategic plan. If that plan is valid and effective what major results will be achieved? Those major results can be your objectives.
The following material will provide you more information about good objective definition:
- ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- What has changed with quality objectives in ISO 9001:2015? - https://advisera.com/9001academy/blog/2018/05/08/what-has-changed-with-quality-objectives-in-iso-90012015/
- Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/ -2015-free-webinar-on-demand/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Cómo reducir la documentación en un SGC
Respuesta:
En realidad esta nueva versión de la norma ISO 9001:2015 exige mucha menos información documentada que las versiones anteriores, no obstante en este artículo puede consultar cuáles son los documentos y registros obligatorios con los que tiene que cumplir para poder certificar su SGC - Lista de documentos obligatorios requeridos por la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
Por otro lado, tenga en cuenta que ningún procedimiento es obligatorio, y que depende única y exclusivamente de la organización decidir si son necesarios para el correcto funcionamiento de los procesos o el futuro mantenimiento del sistema de gestión de calidad. Mi recomendación es que se escriban aquellos que sean cruciales para la organización.
Y finalmente recuerde que sólo son necesarios los registros y documentos que sirvan para el correcto funcionamiento y eficacia de su sistema de gestión de calidad y su alcance.
Para más información sobre cómo reducir la cantidad de documentación en ISO 9001:2015, vea los siguientes materiales:
- Artículo - New approach to document and record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Curso fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Physical access control
An organization is using an access control system via card authentication to control physical entry and exit to a location within ISMS scope. The software that drives this access control was found to be 8 years and outdated with inherent vulnerabilities since the OEM has released much newer version with added security and performance features. Should this not be a non conformity minor given that this access software that drives this physical entry control could be compromised or fail out-rightly since its been 8 years without any update and outdated.
Answer:
First it is important to note that a non conformity is based on evidences that something required was not planned or was not performed as planned.
Considering that, and your stated scenario, you have evidence that the software that drives this access control was not properly updated, and a minor nonconformity is more related to controls A.12.5.1 (Installation of software o n operational systems) and A.12.6.1 (Management of technical vulnerabilities), than the control A11.1.2 (Physical entry control).
A non conformity related to control A11.1.2 must be based on evidence of failure of the control (e.g., reported incidents of unauthorized access), and your stated scenario only mentions a possible access compromise (which in fact is an increase in the risk, not a non conformity).
These articles will provide you further explanation about access control and vulnerability management:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/ -
Inputs for risk assessment
>I understand this way but also have a question
>Step 1: List assets & the trigger from Internal and external issues (within ISMS Scope) – >Perform CIA is addressed High/Medium/VH
Answer: Internal and external issues are only part of the elements used to identify assets for the risk assessment. The best way to build asset inventory is to interview the head of each department, and list all the assets a department uses. The easiest is the “describe-what-you-see” technique – basically, ask this person e.g. to list all the software that he or she sees that are installed on the computer, all the documents in their folders and file cabinets, all the people working in the department, all the equipment seen in their offices, etc.
For further information, see: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
>Step Step 2: For Medium and High/VH from Step 1, list Threats & Vulnerabilities, the calculate probability & impact rating that has values (based on what we define)
>Question: where do we determine risk here. where do we write risk or do we need a column here for writing risk? As I see only threats, vulnerabilities, Probability impact and risk rating.
Answer: First it is important to note that when performing risk identification through asset-vulnerability-threat approach you do not write a risk text (e.g., risk of data loss due equipment failure). In this approach the identification of the relation asset-vulnerability-threat is the risk statement (e.g., paper report - single copy - fire, or electronic record - single copy - storage unit failure).
>Step 3: Input from Step 2 prioritized risks to address. Where do we write risks (I see only threat and vulnerabilities and risk ranking that we will further address.
>Step 3: Based on higher risk rating we Select controls. Find gaps and adress.
>Step 4: SoA
>Dejan, the explanation of First step to start with threat and vulnerabilities thereby aligning to assets within the ISMS scope is an interesting write. But lag in understanding how to define the overall definitions.
Answer: For better understanding of the overall risk assessment process I suggest you to see this webinar:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/