Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Approval of designs


    Response:

    According to ISO 9001:2015 the organization needs to conduct reviews, verification and validation to ensure that the results of design and development meet the necessary requirements. If the approver performs one of these activities then you require this role. If your company already conduct these three processes you don´t need the approver to release the drawings and comply with the standard requirements.

    You can also see these materials to help you with the procfess of design and development in ISO 9001:
    - Article - ISO 9001 design process explained: https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
    - Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/

  • Cláusula 8.3: Naturaleza, duración y complejidad


    Respuesta

    A la hora de planificar tanto las etapas como los controles del diseño y desarrollo de sus productos y servicios la organización necesita tener en cuenta qué tipo de actividades van a ser necesarias así como la duración de las mismas y su grado de complejidad.

    Con respecto a este punto 8.3.2 (planificación del diseño y desarrollo) debe de conservar los registros relativos para demostrar que se han cumplido con los requisitos de diseño y desarrollo. Es decir que la organización necesita proporcionar algún tipo de evidencia objetiva de qué es lo que incluyen las actividades de planificación. Esto se puede conseguir con el uso de cronogramas diagramas de Gantt o cualquier otro método de planificación como algún tipo de administrador de proyectos.

    Para más información sobre diseño y desarrollo en ISO 9001:2015 puede ver estos materiales:
    - Artículo (en inglés) - Case study: Design and Development in the software industry: https://advisera.com/9001academy/blog/2017/02/08/case-study-design-and-development-in-the-software-industry/
    - Artículo (en inglés) -ISO 9001 design process explained: https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
    - Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free on-line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/

  • Secure email usage


    Answer:

    For a policy template that cover secure email usage, I suggest you to take a look at the free demo of these templates to see if they can fulfill your needs:
    - Bring Your Own Device (BYOD) Policy: https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/
    - Mobile Device and Teleworking Policy: https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/
    - IT Security Policy: https://advisera.com/27001academy/documentation/it-security-policy/

  • Implementing ISO 27001 information security risk management


    Step 1: Identify the internal and external issues in our company
    Step 2: Identify the risks and opportunities that would arise from each internal and external issue
    Step 3: Bring the risk items identified during "step 2" to risk assessment
    Step 4: Devise a separate plan to utilize the opportunities.
    Step 5: Develop the risk treatment plan.

    Answer:

    To be compliant with ISO 27001 the risk management must follow these steps:
    - Definition of a risk assessment and treatment methodology
    - Performing of risk assessment (risk identification and risk analysis)
    - Performing of risk treatment (risk evaluation and controls selection)
    - Elaboration of a risk treatment report
    - Elaboration of Statement of Applicability (SoA)
    - Elaboration of Risk Treatment Plan and acceptance of residual risks

    To see how a risk assessment and treatment process looks like, I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    This article will provide you further explanation about implementing risk management:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    These materials will also help you regarding risk assessment:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Internal audit planning


    1. Shouldn't I review all the companies ISMS documents prior to creating the audit plan or is this not necessary for a Full System ISMS Internal Audit? The company advises me that there will be approximately 160 documents which they're expecting me to review during the scheduled audit where they've estimate d to take 5 days based on other audits they've had in the past. My understanding from the training is that I should review all their documents 1st, then develop the audit plan although it's not an ISMS mandatory document by the standard.

    Answer: First it is important to note that ISO 27001 does not prescribe the steps for performing internal audit, only that it must be performed periodically, expected inputs and outputs. Considering that, the review of ISMS documents is not mandatory.

    The review of ISMS documents prior to developing the internal audit plan is useful for you to identify situations specific to your organization that you should look for (e.g., the name of a record, the periodicity of a task, etc.), but not being able to review all documents should not be an impediment for you to plan your internal audit. In this case you should focus on documented information required by the main clauses from the standard (from sections 4 to 10), and on documents and methods of implementation defined for controls from Annex A stated as applicable in your Statement of Applicability (SoA), and make an observation that some specifics of your organization may not be properly audited, and that there is a risk that nonconformities related to them may be found during the certification audit (this is a risk that your management has to accept if you do not have time to review all documents).

    Examples of minimal documents you must include in your review are the ISMS scope, ISMS policy, risk assessment and treatment report.

    This article will provide you further explanation mandatory documents for ISO 27001:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    One additional thing we should mention is that 160 documents for an ISMS is a very uncommon quantity for a set of documents (for small and medium sized companies the set of documents would be no more than 40 to 50), then maybe you have space for an improvement related to decrease the quantity of documents.

  • SMART objectives are someone's responsibility


    Answer

    Both requirements can be matched without contradictions. For example, consider the following quality objective:

    We want to reduce machine A defects rate by 10% in the next 45 days.

    Who will be responsible for meeting this objective?
    Supervisor A will be responsible for leading a team that will work to meet this objective

    The following material will provide you more information about objective definition:
    - ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
    - Check the free preview of ISO 9001 document template: Quality Objectives - https://advisera.com/9001academy/documentation/quality-objectives/
    - free online training ISO 9001:2015 Foundations Course – https://traini ng.advisera.com/course/iso-90012015-foundations-course/
    - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ITIL


    Answer:
    To get basic understanding about ITIL, I suggest you to read following text: “What is ITIL®?” https://advisera.com/20000academy/what-is-itil/
    Implementation includes processes, organizational change, technology (management and e.g. IT Service Management tool), etc. These articles can help you
    - “Ready, steady… go – Starting ITIL implementation” https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/
    - Considerations before ITIL implementation https://advisera.com/20000academy/blog/2014/05/21/considerations-itil-implementation/?icn=free-blog-20000&ici=top-considerations-before-itil-implementation-txt /> - 5 things to beware of when selecting an ITSM tool https://advisera.com/20000academy/blog/2016/03/08/5-things-to-beware-of-when-selecting-an-itsm-tool/

  • ISO 45001 Interested parties, Scope and the OHSMS


    Answer:
    You have asked about some very important elements in the OHSMS. Clause 4.2 (need & expectations of workers and interested parties) requires that you identify any parties (people, organizations, agencies) that have an interest in your OHSMS and determine what their expectations are. What do your workers need? What are the expectations of the OH&S laws you need to meet? Then you need to determine which of these expectations are legal or other requirements you need to comply with. This does not need to be written down, but it is definitely helpful to do so as it needs to be reviewed regularly.
    Clause 4.3 (Scope of the organization) needs to define the boundaries and applicability of the OHSMS. In other words, exactly where do the rules, polices and processes of your OHSMS apply? This does need to be written down, and will be used by you r certification body to know where they must audit. You can learn more in this article: How to determine scope of the OH&SMS, https://advisera.com/45001academy/blog/2015/12/09/how-to-determine-scope-of-the-ohsms/
    Finally, Clause 4.4 does not require any specific documentation, but instead refers to everything you put in place to meet ISO 45001 and your requirements. The clause states you need to establish, implement, maintain and continually improve your OHSMS. This means you need to define what the processes will include (establish), make sure everyone using the process understands the requirements (implement), keep this up by training new people who come on board and ensure changes are understood (maintain), and finally to make the processes better over time (continually improve).
    To help make sure you have all the required documentation in your filing checklist, you can see the free whitepaper: Checklist of Mandatory Documentation Required by ISO 45001, https://info.advisera.com/45001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-45001

  • Residual risk


    Answer:

    First it is important to note that ISO 27001 does not define what residual risk means, nor how it is determined.

    However, consulting ISO 27000, which presents the vocabulary for information security management systems, and is referred on section 3 of the standard, residual risks are the risks remaining after risk treatment.

    Considering that, the auditor statement is not correct, because at the point where residual risk acceptance is required (after approval of the risk treatment plan) some controls may not have been implemented yet, so calculation or residual risk is the only way for decision makers to have a estimative if selected controls are sufficient enough.

    Maybe what the auditor has tried to say is that you cannot take as real a calculated residual risk until you measure the effects of implemented controls. You can consider it at most as an expected residual risk until the first measurement and evaluation of controls ef fectiveness, which will validate or not you calculation.

    This article will provide you further explanation about residual risks:
    - Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/

  • Implementing an EMS?


    Answer:

    Implementing an environmental management system according to ISO 14001 is a voluntary decision and it’s a management decision. Your organization should evaluate the cost-benefit of that decision. To be certified, all ISO 14001 clauses should be considered.

    The following material will provide you information about implementing an environmental management system:
    - 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
    - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
    - Free ISO 14001 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - Free online course - ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/
    - Book – The ISO 14001 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
Page 549-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +