Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Continual improvement
Answer:
There are not mandatory documents required by clause 10.3- Continual Improvement. However, your organization needs to demonstate continual improvement by reviewing the documentation and processes as the quality management system matures or when there is a new process implemented. The organization can use the data output from its processes, for example results from internal audits, management reviews, etc. to support that continual improvement is happening.
You can also see these materials to help you with the requirement of continual improvement in ISO 9001:2015:
- White paper - Clause by clause explanation of ISO 9001:2015: https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015
- Book – Disc over ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Conditions to pursue ISO 27001 certification
Answer: If you do not have evidences to show compliance with all requirements from sections 4 to 10, and that controls from Annex A stated as applicable in the Statement of Applicability (SoA) are implemented and working it makes no sense to go for a certification audit, since the certification auditor will not have enough evidences to verify if the ISMS is implemented and operational.
For further information, see:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
2. How long should I be operational prior conducting the audit? 6 mos minimum.
Answer: A good reference you can use to define the time you need a process or control to be operating to have enough data to be audited is to ensure it has already completed at least three cycles of operation. For example, if a full backup process is performed once a week, then you should wait at least three weeks to audit this process.
But it is important to note that certification bodies have their own criteria about the duration of the ISMS operation before the certification, so you must contact then previously to align this situation. -
Paper-based or electronic records?
Answer:
The best practice is the one that is best for you. The purpose of the records is that they confirm that some work has been done. How these records will be organized depends solely on your business and core process:
a) what kind of jobs do you have (whether it's manual work in a workshop where there is no computer or tablet, or it's all automated and directly involving a computer/server);
b) are electronic forms always available to all employees;
c) whether the records are easily retrieved in case they need to prove compliance;
d) whether the records are protected from manipulation (subsequent data modification) or loss (whether there is a corresponding back-up).
In any case, it is recommended not to duplicate records where it is not needed (eg legal obligation).
For more about document management system, ple ase read article:
Common mistakes with ISO 13485:2016 documentation control and how to avoid them
https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/ -
Approval of designs
Response:
According to ISO 9001:2015 the organization needs to conduct reviews, verification and validation to ensure that the results of design and development meet the necessary requirements. If the approver performs one of these activities then you require this role. If your company already conduct these three processes you don´t need the approver to release the drawings and comply with the standard requirements.
You can also see these materials to help you with the procfess of design and development in ISO 9001:
- Article - ISO 9001 design process explained: https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Cláusula 8.3: Naturaleza, duración y complejidad
Respuesta
A la hora de planificar tanto las etapas como los controles del diseño y desarrollo de sus productos y servicios la organización necesita tener en cuenta qué tipo de actividades van a ser necesarias así como la duración de las mismas y su grado de complejidad.
Con respecto a este punto 8.3.2 (planificación del diseño y desarrollo) debe de conservar los registros relativos para demostrar que se han cumplido con los requisitos de diseño y desarrollo. Es decir que la organización necesita proporcionar algún tipo de evidencia objetiva de qué es lo que incluyen las actividades de planificación. Esto se puede conseguir con el uso de cronogramas diagramas de Gantt o cualquier otro método de planificación como algún tipo de administrador de proyectos.
Para más información sobre diseño y desarrollo en ISO 9001:2015 puede ver estos materiales:
- Artículo (en inglés) - Case study: Design and Development in the software industry: https://advisera.com/9001academy/blog/2017/02/08/case-study-design-and-development-in-the-software-industry/
- Artículo (en inglés) -ISO 9001 design process explained: https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Secure email usage
Answer:
For a policy template that cover secure email usage, I suggest you to take a look at the free demo of these templates to see if they can fulfill your needs:
- Bring Your Own Device (BYOD) Policy: https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/
- Mobile Device and Teleworking Policy: https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/
- IT Security Policy: https://advisera.com/27001academy/documentation/it-security-policy/ -
Implementing ISO 27001 information security risk management
Step 1: Identify the internal and external issues in our company
Step 2: Identify the risks and opportunities that would arise from each internal and external issue
Step 3: Bring the risk items identified during "step 2" to risk assessment
Step 4: Devise a separate plan to utilize the opportunities.
Step 5: Develop the risk treatment plan.
Answer:
To be compliant with ISO 27001 the risk management must follow these steps:
- Definition of a risk assessment and treatment methodology
- Performing of risk assessment (risk identification and risk analysis)
- Performing of risk treatment (risk evaluation and controls selection)
- Elaboration of a risk treatment report
- Elaboration of Statement of Applicability (SoA)
- Elaboration of Risk Treatment Plan and acceptance of residual risks
To see how a risk assessment and treatment process looks like, I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
This article will provide you further explanation about implementing risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Internal audit planning
1. Shouldn't I review all the companies ISMS documents prior to creating the audit plan or is this not necessary for a Full System ISMS Internal Audit? The company advises me that there will be approximately 160 documents which they're expecting me to review during the scheduled audit where they've estimate d to take 5 days based on other audits they've had in the past. My understanding from the training is that I should review all their documents 1st, then develop the audit plan although it's not an ISMS mandatory document by the standard.
Answer: First it is important to note that ISO 27001 does not prescribe the steps for performing internal audit, only that it must be performed periodically, expected inputs and outputs. Considering that, the review of ISMS documents is not mandatory.
The review of ISMS documents prior to developing the internal audit plan is useful for you to identify situations specific to your organization that you should look for (e.g., the name of a record, the periodicity of a task, etc.), but not being able to review all documents should not be an impediment for you to plan your internal audit. In this case you should focus on documented information required by the main clauses from the standard (from sections 4 to 10), and on documents and methods of implementation defined for controls from Annex A stated as applicable in your Statement of Applicability (SoA), and make an observation that some specifics of your organization may not be properly audited, and that there is a risk that nonconformities related to them may be found during the certification audit (this is a risk that your management has to accept if you do not have time to review all documents).
Examples of minimal documents you must include in your review are the ISMS scope, ISMS policy, risk assessment and treatment report.
This article will provide you further explanation mandatory documents for ISO 27001:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
One additional thing we should mention is that 160 documents for an ISMS is a very uncommon quantity for a set of documents (for small and medium sized companies the set of documents would be no more than 40 to 50), then maybe you have space for an improvement related to decrease the quantity of documents. -
SMART objectives are someone's responsibility
Answer
Both requirements can be matched without contradictions. For example, consider the following quality objective:
We want to reduce machine A defects rate by 10% in the next 45 days.
Who will be responsible for meeting this objective?
Supervisor A will be responsible for leading a team that will work to meet this objective
The following material will provide you more information about objective definition:
- ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- Check the free preview of ISO 9001 document template: Quality Objectives - https://advisera.com/9001academy/documentation/quality-objectives/
- free online training ISO 9001:2015 Foundations Course – https://traini ng.advisera.com/course/iso-90012015-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ITIL
Answer:
To get basic understanding about ITIL, I suggest you to read following text: “What is ITIL®?” https://advisera.com/20000academy/what-is-itil/
Implementation includes processes, organizational change, technology (management and e.g. IT Service Management tool), etc. These articles can help you
- “Ready, steady… go – Starting ITIL implementation” https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/
- Considerations before ITIL implementation https://advisera.com/20000academy/blog/2014/05/21/considerations-itil-implementation/?icn=free-blog-20000&ici=top-considerations-before-itil-implementation-txt