Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
IMS Framework validation
My final year research thesis topic "development of integrated management system for testing and calibration laboratories". I have developed the IMS Manual, conforms with the requirements of (ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, ISO/IEC 17025:2017 and AS 9100D: 2016). I also developed the IMS Framework as per the IMS Manual. Now I want to validate that framework. I want you to guide me how to validate the IMS Framework? I'm also going to implement this IMS manual in an organization. Answer: Any plans must be updated when they start contacting reality. Your IMS Framework should be viewed as an initial approach based on your experience and learning. Now you should use your opportunity to implement it in an organization as a way of validating your work and fine tuning it. Start by the end: what is the organization’s actual performance and what improvements do you want or expect to see after a certain time frame. Implement your IMS Framework and c heck evolution against performance measures and perform internal audits to check conformity and improve the IMS Framework. Effectiveness is the most important outcome. The following materials will provide you more information about measuring performance: - Article - How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/ - Free webinar – How to integrate ISO 9001:2015 and ISO 14001:2015 - https://advisera.com/9001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar-on-demand/ - [free course] ISO 14015:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ - book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
KPIs and the process approach
“By utilizing the KPIs that the company has identified as the important indicators that the processes are functioning well the overall QMS objectives for improvement become much easier to measure.”
Answer
Let us consider the whole article How to Write Good Quality Objectives- https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/ before that phrase.
For example, a company wins business by being the lower bidder in public contracts. So, its Quality Policy assumes that efficiency is a top priority. Efficiency is translated into an overall QMS objective called “Improve productivity”.
An organization can be seen as a set of processes:
Meeting a particular QMS objective will be a function of one or more processes. For example:
https://www.screencast.com/users/ccruz5284/f olders/Default/media/8ace04c4-264f-4105-b8bb-65734f8774d2
In this organization, processes “4.Prepare production” and “6.Maintain equipment” are considered the two most relevant to “Improve productivity”.
Now, the organization can consider several ways of monitoring processes 4 and 6 performance. For example, measures for process 6 can be:
* Maintenance costs
* Mean time between failure of critical equipment
* Lost production time
All measures are relevant and have their reason, but the organization decides that “Lost production time” is a KPI because it is a good proxy for improved productivity. This is an example of “(e.g. one objective for the whole QMS, then individual objectives for the product or process that supports the overall objective).”
Now, back to your question. The overall QMS objective is, sometimes, very abstract and the final result of a long chain of cause-effect. With KPI’s an organization can monitor in real time measures that will affect the overall QMS objective that will only be measurable much later.
The following material will provide you more information about the process approach:
- Free webinar – The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
GDPR Readiness Assessment and DPIA
Answer:
The purpose of the EU GDPR Readiness Assessment is for the company to do a self-check on the status of compliance with the main requirements of the EU GDPR. Since this questionnaire is not exhaustive, it does not provide a 100% accurate overview of your company’s compliance.
If the answer to all of the questions in the Assessment is, “Yes,” you might already be compliant with the provisions of the EU GPDR. Still, all instances where you will answer, “Yes,” should be thoroughly documented to prove accountability and compliance.
If you would answer “No,” to some questions, it will indicate where you need to focus your compliance efforts.
A DPIA is a process designed to help you systematically analyze, identify and minimize the data protection risks of a project or plan. It is a key part of your accountability obligations under the GDPR, and when done properly helps you assess and demonstrate how you c omply with all of your data protection obligations. It does not have to eradicate all risk but should help you minimize and determine whether or not the level of risk is acceptable in the circumstances, taking into account the benefits of what you want to achieve.
2. Should these be conducted simultaneously? Or, how long after the Readiness Assessment is completed should a DPIA be carried out?
Answer:
As you can see the two documents serve totally different purposes so the order is not important. However, consider that the EU GDPR Readiness Assessment is meant to analyze the overall compliance of a company and it makes sense to use this assessment first. -
Conditions to issue a valide certificate
Answer
A valid certificate is issued by a certification body, accredited under International Accreditation Forum, after performing a two-stage audit to evaluate compliance with ISO 9001 requirements.
The following material will provide you more information about certification audits:
- ISO 9001 – How to prepare your company for the ISO 9001 certification audit - https://advisera.com/9001academy/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/
- Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2 015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Monitoring resources
Where in the standard supports that tool design should verify tooling and record results prior to providing tooling to production?
Answer
ISO 9001:2015 clause 7.1.5 is about monitoring and measurement resources used to ensure valid and reliable results about the conformity of products and services to requirements. So, all monitoring and measurement resources used to make a decision about the final products or services should be controlled. All other monitoring and measurement resources control should be based on management decision. If your tool design department works to supply tools to production your current practice is acceptable. If your tool design department works to supply tools to outside customers, then their monitoring and measurement resources should be controlled.
The following material will provide you more information about the monitoring and measurement resources:
- Monitoring and Measurement: The basis for evidence-based decisions - https://advisera.com/9001academy/blog/2020/09/21/how-to-perform-monitoring-and-measurement-according-to-iso-9001/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Information security on managed offices
Answer:
If I understood correctly, this managed office is the main premise of your customer, so it can not be excluded from the scope.
If your client does not have much control over the managed office to demand implementation of physical controls related on section A.11, then he should focus on protecting the assets on workstations he uses, and for this he must consider defining a clear desk and clear screen policy to ensure unattended information or equipment is removed from desk and screen when not in use or the user is absent.
Specifically for notebooks you can recommend the use of screen filters that reduce the angle of view from which other personnel can see what is in the screen (with these filters people have to be exactly in front of the screen to see something.)
If want to see how this policy looks like, I suggest you to take a look at the free demo of our Clear desk and clear screen policy at this link: https://advisera.com/27001academy/documentation/clear-desk-and-clear-screen-policy/
This article will provide you further explanation about clear desk and clear screen policy:
- Clear desk and clear screen policy – What does ISO 27001 require? https://advisera.com/27001academy/blog/2016/03/14/clear-desk-and-clear-screen-policy-what-does-iso-27001-require/ -
AS9100 Rev D: Auditing of monitoring software
Answer:
Clause 9.1.1 talks about monitoring and measurement, and in particular discusses the need for ensuring methods give valid results. If the method of monitoring and measurement is to use software, then this needs to be audited to ensure that it is giving valid results, and that the monitoring and measurement is maintained.
In addition, clause 8.5.1.1 discusses control of equipment, tools and software used to automate, control, monitor or measure production processes. This requirements discussed that these items need to be validated prior to release and maintained. This would also require auditing.
For a better understanding of the AS9100 Rev D standard, see the whitepaper: Clause-by-clause explanation of AS9100 Rev D, https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d -
ISO 22301 clause 4.4
Answer:
The identification of BCMS process and their interactions is evidenced through the BCMS scope document. In this document you have to ensure it is identified:
- which parts of the organization are in the BCMS (clause 4.3.2 c))
- products, services and activities related to the parts in the BCMS (clause 4.3.2 d))
This article will provide you further explanation about defining scope (the article is related to ISO 27001, but the same concept is applicable to ISO 22301):
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Templates for software development
Do you any that would be of use for us ?
Answer:
Included in the toolkit you bought you have the following templates that cover software development:
- Secure development policy
- Specification of information system requirements
Both are located in folder 08 Annex A Security Controls, sub folder A.14 System Acquisition Development and Maintenance
In case you find these are not enough to fulfill your needs you can edit them to include the information you want or create a new document using the blank template included in the root folder of your toolkit. In both cases you can contact us to support you.
This article will provide you further explanation about security on software development:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/ -
Questions about certification
Answer: ISO 27001 does not require the implementation of Business Continuity Management. A Disaster Recovery Plan will be enough to cover 27001 requirements.
For more information, see:
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
2. May personal employees laptops and smartphones be excluded from the ISMS scope ?
Answer: Personal assets from employees must not be included in the organization's ISMS scope (after all they do not belong to the organization). The point with such assets is that if they process or store information included in the ISMS scope you have to assess the involved risks in such access, and if the risks are identified as unacceptable you have to consider how to treat them (e.g., forbid such assets to access the organization's information, or regulate their use thr ough controls such acceptable use of assets or mobile and teleworking policy).
For more information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
3. In the template of Risk Assessment and Treatment report, can you explain me more in details what is expected for the section « Time period » ?
Answer: In the "time period" section you must document:
- When the risk assessment activity presented in the report has started and ended
- When the risk treatment activity presented in the report has started and ended
- When the elaboration of final report has started and ended
With this information it can be evaluated if risk assessment took enough time considering the complexity of scope assessment, if risk treatment was performed in due time, and if the report presents current or old information, which helps to support decision making.
This article will provide you further explanation about risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/