Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 45001 integration with ISO 9001
(1) Can I incorporate the ISO 45001 into our ISO9001:2015 QM. I am not sure how to do so. Procedures I can handle using a separate volume.
Answer: You are correct, OHSAS 18001 is being replaced by ISO 45001:2018, and companies who have the previous standard in place need to transition before 2021 to keep a valid certification for their OHSMS. As for incorporating ISO 45001 into an ISO 9001:2015 management system, this is certainly possible and often preferred. Both standards now follow the same document structure so it is easy to see what is common, such as internal audit, control of documented information and management review. In this way you can even use the same processes and procedures for these common elements and ens ure that you cover both aspects of the processes.
You may find it helpful to read the free whitepaper: How to integrate ISO 45001 with ISO 9001 and ISO 14001, https://advisera.com/45001academy/blog/2018/09/12/how-to-integrate-iso-45001-with-iso-9001-and-iso-14001/
(2) - how would certification bodies audit us - in one go or separate occasions?
Answer: When a company has more than one certification it is possible to have one certification body perform the certification audits together, at the same time. There will be additional auditing time allotted, but like the internal audits it is possible to audit some elements together and cover both standards. However, this would only be the case if you have the same certification body for both standards, and if you chose to have different certification bodies for each standard, they may not be able to do a joint audit.
To better understand the requirements of ISO 45001:2018, see our whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001 -
Personal data breach and DPO
Answer:
You can find readily available templates for a Data Breach Policy, as well as notification templates to be used when subject to a personal data breach, in this EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/).
The same toolkit also contains a Task Description that can be used when appointing a DPO. -
ISO 27017 and ISO 27018 certification
Answer: First it is important to note that ISO 27017 and ISO 27018 are not certifiable standards (some certification bodies "certify" against ISO 27017 and ISO 27018, but only during an ISO 27001 certification process, because ISO 27001 is the only certifiable standard in the ISO 27000 series).
Considering that, the ISO 27001 certification is valid for three years.
These articles can provide further information:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
2 . Are there surveillance audits every year as with ISO 27001?
Answer: If your certification body includes in the certification an statement that you are also compliant with ISO 27017 and ISO 27018, the surveillance audits will be the same as for a normal ISO 27001 certification, normally one each year.
This article will provide you further explanation about surveillance audit:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
Residual risks
Question 1) Is this vision of a "second" residual risk correct?
Answer: I think there is a misunderstanding here. When you apply a policy over an "inherent risk" you are already treating a risk (first you would have to evaluate the inherent risk against the acceptance criteria - the risk appetite). If this first residual risk after applying this control is still over risk appetite you have two options: accept the residual risk as it is (because applying more controls will not be worthy), or apply additional controls to further decrease the risk (then you would have the "second", "third" residual risk, and so on).
Considering this, before applying any control you have to evaluate the inherent risk first.
This article can provide you further information:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Question 2: Can I use the same controls assessment policy for estimating "second" residual risk?
Answer: The methodology you use to assess the inherent risk can also be used to assess the risk after the control application. -
Internal auditors and competence
We've received additional questions:
> Are the surveillance audits a new requirement of the ISO 9001:2015 standard?
> What happens if we don’t do the surveillance audits and just do the renewal on year 3?
Answer
Surveillance audits are not a requirement of ISO 9001:2015. Surveillance audits are a requirement from your contract with the certification body. Certification is not an ISO 9001:2015 requirement. Certification is a management decision. Many organizations use ISO 9001 as help to implement a management system without performing the extra step of certification.
ISO 9001 only mentions internal audits.
Certification bodies cannot propose a contract that does not include surveillance audits because that would go against their accreditation procedures. -
Continual improvement
Answer:
There are not mandatory documents required by clause 10.3- Continual Improvement. However, your organization needs to demonstate continual improvement by reviewing the documentation and processes as the quality management system matures or when there is a new process implemented. The organization can use the data output from its processes, for example results from internal audits, management reviews, etc. to support that continual improvement is happening.
You can also see these materials to help you with the requirement of continual improvement in ISO 9001:2015:
- White paper - Clause by clause explanation of ISO 9001:2015: https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015
- Book – Disc over ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Conditions to pursue ISO 27001 certification
Answer: If you do not have evidences to show compliance with all requirements from sections 4 to 10, and that controls from Annex A stated as applicable in the Statement of Applicability (SoA) are implemented and working it makes no sense to go for a certification audit, since the certification auditor will not have enough evidences to verify if the ISMS is implemented and operational.
For further information, see:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
2. How long should I be operational prior conducting the audit? 6 mos minimum.
Answer: A good reference you can use to define the time you need a process or control to be operating to have enough data to be audited is to ensure it has already completed at least three cycles of operation. For example, if a full backup process is performed once a week, then you should wait at least three weeks to audit this process.
But it is important to note that certification bodies have their own criteria about the duration of the ISMS operation before the certification, so you must contact then previously to align this situation. -
Paper-based or electronic records?
Answer:
The best practice is the one that is best for you. The purpose of the records is that they confirm that some work has been done. How these records will be organized depends solely on your business and core process:
a) what kind of jobs do you have (whether it's manual work in a workshop where there is no computer or tablet, or it's all automated and directly involving a computer/server);
b) are electronic forms always available to all employees;
c) whether the records are easily retrieved in case they need to prove compliance;
d) whether the records are protected from manipulation (subsequent data modification) or loss (whether there is a corresponding back-up).
In any case, it is recommended not to duplicate records where it is not needed (eg legal obligation).
For more about document management system, ple ase read article:
Common mistakes with ISO 13485:2016 documentation control and how to avoid them
https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/ -
Approval of designs
Response:
According to ISO 9001:2015 the organization needs to conduct reviews, verification and validation to ensure that the results of design and development meet the necessary requirements. If the approver performs one of these activities then you require this role. If your company already conduct these three processes you don´t need the approver to release the drawings and comply with the standard requirements.
You can also see these materials to help you with the procfess of design and development in ISO 9001:
- Article - ISO 9001 design process explained: https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Cláusula 8.3: Naturaleza, duración y complejidad
Respuesta
A la hora de planificar tanto las etapas como los controles del diseño y desarrollo de sus productos y servicios la organización necesita tener en cuenta qué tipo de actividades van a ser necesarias así como la duración de las mismas y su grado de complejidad.
Con respecto a este punto 8.3.2 (planificación del diseño y desarrollo) debe de conservar los registros relativos para demostrar que se han cumplido con los requisitos de diseño y desarrollo. Es decir que la organización necesita proporcionar algún tipo de evidencia objetiva de qué es lo que incluyen las actividades de planificación. Esto se puede conseguir con el uso de cronogramas diagramas de Gantt o cualquier otro método de planificación como algún tipo de administrador de proyectos.
Para más información sobre diseño y desarrollo en ISO 9001:2015 puede ver estos materiales:
- Artículo (en inglés) - Case study: Design and Development in the software industry: https://advisera.com/9001academy/blog/2017/02/08/case-study-design-and-development-in-the-software-industry/
- Artículo (en inglés) -ISO 9001 design process explained: https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/