Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Reporting a gap analysis
Answer
First, I would not use the word negative. You are starting to implement a quality management system (QMS), you need allies and people can become very upset when someone comes saying that they are wrong.
I would start by remembering all the reasons the organization wants or needs an ISO 9001 QMS. Then I would arrange ISO 9001 clauses (gap analysis questions and answers) in groups that anyone can relate to. People don’t know clause 8.4, but they know what purchasing or income inspection are. For example, you can group topics around commercial activities, around warehouse activities, around purchasing activities, ...
For each group I would present the gap analysis question, the answer and the why for the topic. Then, I would present a summary of the ISO 9001 requirement stressing that ISO 9001 does not give an answer about how to close the gap. For each group I would present a proposal about a team composition and timing for developing the way to close the gap. If y ou use our Free ISO 9001:2015 Gap Analysis Tool you can use the number at the bottom to monitor the progress impartially.
The following material will provide you more information about internal audits:
- Article - ISO 9001 – Bridging the communications gap with management in the context of ISO 9001 - https://advisera.com/9001academy/blog/2019/04/03/bridging-the-communications-gap-with-management-in-the-context-of-iso-9001/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Create a quality policy
Answer
An organization with a quality management system should have a quality policy. A quality policy is a set of intentions and direction for an organization as determined by top management. You will not see this in ISO 9001:2015, this is my practice. When I work with an organization’s top management in developing their quality policy I recommend thinking about some questions:
Who are our target customers and other very relevant interested parties?
What are the most important requirements for those target customers and other very relevant interested parties?
In what activities should our organization be excellent to be able to satisfy target customers and other very relevant interested parties?
After discussing the questions and answers and after arriving at some consensus, I invite the organization to write a text with the following structure:
To whom do we work (We work for clients that value …)
What are our top priorities. In what things we need to be exc ellent.
Add the commitments included and required by ISO 9001
That way you will write a guiding document that will focus your organization in a strategic way and translating that policy into objectives will be easier.
The following material will provide you more information about the quality policy:
- How to Write a Good Quality Policy - https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Context of an organization
Answer
Your organization is not an abstract entity living in a perfect world. For example, top management should not make decisions without considering what is happening now, or what can happen in the future of the economic, social, political or technological environment around the organization. Imagine an organization deciding to invest heavily in a technology that can become obsolete or deciding to open an office at another country that will impose greater import restrictions.
Organizations are not really free to decide what to do, they should take into consideration their past, their experience, their DNA, their strengths and their weaknesses. The set of internal and external issues that affect an organization is what ISO 9001 calls the context.
The following material will provide you more information about context of an organization:
- Free white paper - ISO 9001 – Case study for ISO 9001:2015 transition in a construction company - https://advisera.com/9001academy/
- Free webinar – ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Training others to perform internal audits
Answer
An internal auditor must be competent to perform internal audits. Companies have the authority to determine what should be their requirements for competency. Normally, they are about knowing the standard and about knowing good audit practices and some previous experience.
With this course ISO 9001:2015 Lead Auditor Course you will get training about ISO 9001:2015 and about good audit practices (preparing, performing and reporting). This will give you knowledge that you can pass on to others through an internal auditor course performed by you in-house. Attention, this course is better suited to those that want to follow a career as Lead Auditors. Just to enable you to train internal auditors, if you don’t want to follow a career as Lead Auditor, perhaps our ISO 9001:2015 Internal Auditor Course is better suited to your needs.
The following material will provide you more information about internal audits:
- Article - ISO 9001 – How to prepare for an internal audit - https://advisera.com/9001academy/blog/2017/09/26/iso-9001-how-to-prepare-for-an-internal-audit/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Internal audit
# Type
# Scope
# Frequency
Is the documents of "10_Internal_Audit" covering this point?
Answer:
I'm assuming you are referring to ISO 27001 Annex A section A.18.2 Information security reviews. Considering that, your assumption is correct, the internal audit procedure is the document which covers the controls from this section.
The definition of scope and frequency will depend on factors such as the importance of the information system, related risks, results of previous audits, etc., but a good start to consider is to audit information systems in the ISMS scope at least once a year.
2. I´m having a problem to figured out this issue, do you have forms or a procedure to cover this point?
Answer:
To see how this internal audit document looks like, please take a look at the free demo of our ISO 27001/ISO 22301 Internal Audit Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
For further information also see:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- ISO 27001:2013 Internal auditor course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Certification bodies
Answer:
Unfortunately we do not have this kind of list, and you should ask for this specific need in the quotes you will send to potential certification bodies.
This article will provide you further explanation about selection of certification bodies:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
Aspects, impacts and risks
Answer:
Consider the example below:
One of the activities performed by an organization (cutting steel sheet) interacts with the environment through one or more environmental aspects (noise generation). Environmental impacts are the expected and normal outcomes or consequences of an environmental aspect (neighborhood nuisance below legal limits in this case).
Please check risk definition (3.2.10) on ISO 14001:2015 (effect of uncertainty). With environmental aspects and impacts we are considering normal, expected situations. Whenever there is uncertainty there is risk, there is a potential deviation from the expected.
In the example above one of the risks, one of the possibilities, it is a cutting machine malfunction. That malfunction can generate a negative deviation from the expected, can generate much more noise, exceed legal limits and increase neighborhood complaints.
In my work with organizations we determine environmental aspects and impacts. Then, for each impact I ask (and please check the relationship with Mark Hammar’s article):
What can help us improve the environmental impact? (opportunity)
What can deteriorate the environmental impact? (risk)
The following material will provide you information about getting clients as consultant:
- ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/
- Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
- Free online course - ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/ -
Gap analysis feedback
Answer
As far as I understand your question, you can design something like:
Perform gap analysis
Communicate result
Act upon the system to close the gaps
Re-perform gap analysis
Check improvement/evolution
Communicate result
Back to: act upon the system to close the remaining gaps
…
You can use a detailed Gap Analysis checklist and perhaps evaluate the gap not as a yes or no, but as a result between 0, 1, 2 and 3. Being 0 having nothing (total gap) and 3 being no gap detected (or vice versa)
The following material will provide you more information about Gap Analysis:
- ISO 9001 – Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
- Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 27001 toolkit content
- A.6.1.1 – A.6.1.6
- A.7.3
- A.8.1.3 & A.8.1.4
- A.9.4
- A.11 is also somewhat incomplete
- A.12.1.3 and 12.1.4
- A.12.4 – A.12.7
- A.18 is missing completely
I previously thought, that the missing parts may be part of an update. Can you tell me more about the missing parts of the ISO?
Answer:
First of all, sorry for this confusion. It is important to note that every control does not need to be documented, and to avoid unnecessary administrative work the toolkit includes only all the mandatory + all most common documents.
In the root folder of the toolkit you'll find a document called “List of Documents” that explains which control/clause is covered by which document, and which documents are mandatory.
Documents which cover some of controls you mentioned can be found here:
- A.6.1.2 - this control is covered by document "Incident Management Procedure", located in Folder "08 Annex A – Security Controls" sub-folder "A.16 Information Security Incident Management"
- A.8.1.3 & A.8.1.4 - these controls are covered by documents "IT Security Policy", located in Folder "08 Annex A – Security Controls" sub-folder "A.8 Asset Management" and "Supplier Security Policy", located in Folder "08 Annex A – Security Controls" sub-folder "A.15 Supplier Relationships"
- A.9.4.1 this control is covered by documents "Information Classification Policy", located in Folder "08 Annex A – Security Controls" sub-folder "A.8 Asset Management" and "Access Control Policy", located in Folder "08 Annex A – Security Controls" sub-folder "A.9 Access Control"
- A.9.4.3 this control is covered by documents "Password Policy", located in Folder "08 Annex A – Security Controls" sub-folder "A.9 Access Control" and "Access Control Policy", located in Folder "08 Annex A – Security Controls" sub-folder "A.9 Access Control"
- A.12.4 - these controls are covered by document "Security Procedures for IT Department", located in Folder "08 Annex A – Security Controls" sub-folder "A.12 Operations Security"
- A.18 – controls from this section are covered in the toolkit in folder "02 Procedure for identification of requirements”
In case your implementation requires controls not included in mentioned documents covered by the toolkit, you can contact us by email or schedule a meeting and we can provide the support to develop these documents. -
SWOT Analysis and ISO 27001
Answer:
First it is important to note that a SWOT analysis is not mandatory for ISO 27001, but it can help for the identification of organizational context and requirements of interested parties.
Considering that, the SWOT analysis used for ISO 9001 certification can be used for ISO 27001, provided that you now include an information security perspective on the information already gathered.
These articles will provide you further explanation about organizational context and requirements of interested parties:
- How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- How to identify ISMS requirements of interested parties in ISO 2 7001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/