Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 45001: A brief history
great information Mark
-
GDPR Questions
We've received additional questions:
>1. What is the difference between Privacy Notice and Personal Data Protection Policy?
Answer:
The GDPR increases the amount of information you need to include in your privacy notices. The information is provided to the data subject through Privacy Notices. Notices must also be concise and intelligible and provide the information required under art. 13 and 14 of the GDPR. On the other hand, the Data Protection Policy as stated previously is a statement of the company to process data in accordance with the GDPR and its principles. So both the purposes and the audience is different.
>2. What is the difference between Employee Privacy Notice and Employee Data Protection Policy?
Answer:
Keeping in mind the description and purpose of a Privacy Notice note that the Employee Privacy Notice is tailored as to be used for informing the employees what the company usually uses their personal data for. The Employee Data Protection Policy is a document which is setting up the rules for processing personal data by the HR department. -
Reporting a gap analysis
Answer
First, I would not use the word negative. You are starting to implement a quality management system (QMS), you need allies and people can become very upset when someone comes saying that they are wrong.
I would start by remembering all the reasons the organization wants or needs an ISO 9001 QMS. Then I would arrange ISO 9001 clauses (gap analysis questions and answers) in groups that anyone can relate to. People don’t know clause 8.4, but they know what purchasing or income inspection are. For example, you can group topics around commercial activities, around warehouse activities, around purchasing activities, ...
For each group I would present the gap analysis question, the answer and the why for the topic. Then, I would present a summary of the ISO 9001 requirement stressing that ISO 9001 does not give an answer about how to close the gap. For each group I would present a proposal about a team composition and timing for developing the way to close the gap. If y ou use our Free ISO 9001:2015 Gap Analysis Tool you can use the number at the bottom to monitor the progress impartially.
The following material will provide you more information about internal audits:
- Article - ISO 9001 – Bridging the communications gap with management in the context of ISO 9001 - https://advisera.com/9001academy/blog/2019/04/03/bridging-the-communications-gap-with-management-in-the-context-of-iso-9001/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Create a quality policy
Answer
An organization with a quality management system should have a quality policy. A quality policy is a set of intentions and direction for an organization as determined by top management. You will not see this in ISO 9001:2015, this is my practice. When I work with an organization’s top management in developing their quality policy I recommend thinking about some questions:
Who are our target customers and other very relevant interested parties?
What are the most important requirements for those target customers and other very relevant interested parties?
In what activities should our organization be excellent to be able to satisfy target customers and other very relevant interested parties?
After discussing the questions and answers and after arriving at some consensus, I invite the organization to write a text with the following structure:
To whom do we work (We work for clients that value …)
What are our top priorities. In what things we need to be exc ellent.
Add the commitments included and required by ISO 9001
That way you will write a guiding document that will focus your organization in a strategic way and translating that policy into objectives will be easier.
The following material will provide you more information about the quality policy:
- How to Write a Good Quality Policy - https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Context of an organization
Answer
Your organization is not an abstract entity living in a perfect world. For example, top management should not make decisions without considering what is happening now, or what can happen in the future of the economic, social, political or technological environment around the organization. Imagine an organization deciding to invest heavily in a technology that can become obsolete or deciding to open an office at another country that will impose greater import restrictions.
Organizations are not really free to decide what to do, they should take into consideration their past, their experience, their DNA, their strengths and their weaknesses. The set of internal and external issues that affect an organization is what ISO 9001 calls the context.
The following material will provide you more information about context of an organization:
- Free white paper - ISO 9001 – Case study for ISO 9001:2015 transition in a construction company - https://advisera.com/9001academy/
- Free webinar – ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Training others to perform internal audits
Answer
An internal auditor must be competent to perform internal audits. Companies have the authority to determine what should be their requirements for competency. Normally, they are about knowing the standard and about knowing good audit practices and some previous experience.
With this course ISO 9001:2015 Lead Auditor Course you will get training about ISO 9001:2015 and about good audit practices (preparing, performing and reporting). This will give you knowledge that you can pass on to others through an internal auditor course performed by you in-house. Attention, this course is better suited to those that want to follow a career as Lead Auditors. Just to enable you to train internal auditors, if you don’t want to follow a career as Lead Auditor, perhaps our ISO 9001:2015 Internal Auditor Course is better suited to your needs.
The following material will provide you more information about internal audits:
- Article - ISO 9001 – How to prepare for an internal audit - https://advisera.com/9001academy/blog/2017/09/26/iso-9001-how-to-prepare-for-an-internal-audit/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Internal audit
# Type
# Scope
# Frequency
Is the documents of "10_Internal_Audit" covering this point?
Answer:
I'm assuming you are referring to ISO 27001 Annex A section A.18.2 Information security reviews. Considering that, your assumption is correct, the internal audit procedure is the document which covers the controls from this section.
The definition of scope and frequency will depend on factors such as the importance of the information system, related risks, results of previous audits, etc., but a good start to consider is to audit information systems in the ISMS scope at least once a year.
2. I´m having a problem to figured out this issue, do you have forms or a procedure to cover this point?
Answer:
To see how this internal audit document looks like, please take a look at the free demo of our ISO 27001/ISO 22301 Internal Audit Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
For further information also see:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- ISO 27001:2013 Internal auditor course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Certification bodies
Answer:
Unfortunately we do not have this kind of list, and you should ask for this specific need in the quotes you will send to potential certification bodies.
This article will provide you further explanation about selection of certification bodies:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
Aspects, impacts and risks
Answer:
Consider the example below:
One of the activities performed by an organization (cutting steel sheet) interacts with the environment through one or more environmental aspects (noise generation). Environmental impacts are the expected and normal outcomes or consequences of an environmental aspect (neighborhood nuisance below legal limits in this case).
Please check risk definition (3.2.10) on ISO 14001:2015 (effect of uncertainty). With environmental aspects and impacts we are considering normal, expected situations. Whenever there is uncertainty there is risk, there is a potential deviation from the expected.
In the example above one of the risks, one of the possibilities, it is a cutting machine malfunction. That malfunction can generate a negative deviation from the expected, can generate much more noise, exceed legal limits and increase neighborhood complaints.
In my work with organizations we determine environmental aspects and impacts. Then, for each impact I ask (and please check the relationship with Mark Hammar’s article):
What can help us improve the environmental impact? (opportunity)
What can deteriorate the environmental impact? (risk)
The following material will provide you information about getting clients as consultant:
- ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/
- Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
- Free online course - ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/ -
Gap analysis feedback
Answer
As far as I understand your question, you can design something like:
Perform gap analysis
Communicate result
Act upon the system to close the gaps
Re-perform gap analysis
Check improvement/evolution
Communicate result
Back to: act upon the system to close the remaining gaps
…
You can use a detailed Gap Analysis checklist and perhaps evaluate the gap not as a yes or no, but as a result between 0, 1, 2 and 3. Being 0 having nothing (total gap) and 3 being no gap detected (or vice versa)
The following material will provide you more information about Gap Analysis:
- ISO 9001 – Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
- Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/