Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
GDPR Data Controller or Data Processor
Thanks a lot Andrei -
Process, procedures and documentation
Answer
Let us start by the second question about the difference between processes and procedures. A process is a set of activities taken in order to achieve a particular end. A documented procedure is a written description about how to perform certain activity or activities. So, process and procedure are two different things. About the first question the answer is yes. One can document a 9001 process in a procedure but remember a process is much more than a procedure.
The following material will provide you information the process approach:
- ISO 9001 – ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
- Free course - ISO 90 01:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 45001 Objectives and interested parties
Answer:
SMART is an acronym for the 5 things to consider when writing good goals or improvement objectives. S stands for specific so that you know exactly what you are trying to achieve. M stands for measurable, so that you can know if you have actually achieved the goal. A can stand for different things like achievable or agreed, but I like to use agreed because it is different from the next letter and it highlights that objectives need to be agreed in the organization. R is for realistic, so you are not trying for a target that cannot be reached in the time. T stands for time-based, so your objective needs to have a set timeline for achievement in order to make sure you can stay on track.
For more information on writing good OH&S objectives see the article: How to define ISO 45001 objectives and plans, https://advisera.com/45001academy/blog/2018/12/04/how-to-define-iso-45001-objectives-and-plans/
2) There is no good explanation for Determining the interested parties (external) can you pro vide some explanation.
Answer:
The reason for identifying the interested parties is to determine what their needs and expectations are. These needs and expectations will become the requirements you need to comply with in order to have a good OHSMS, so you need to identify who the interested parties are in order to not miss any requirements. For instance, if there is a government agency who has OH&S laws you need to meet, they are an interested party and the requirements of the laws are the expectations. This can be done in many ways, but the result is to make sure you know all the expectations that will apply to your OHSMS before you implement, and then keep up to date on changing needs.
For more information on interested parties, see the article: Determining interested parties according to ISO 45001, https://advisera.com/45001academy/blog/2018/03/14/determining-interested-parties-according-to-iso-45001/ -
Positive risks and opportunities
An opportunity is something entirely different. An opportunity is something that you can CHOOSE to pursue, which may have associated risks. You may be subject to positive and/or negative risks if you choose to pursue the opportunity. Alternatively, you may be subject to positive and/or negative risks if you choose not to pursue the opportunity.
For example the sale of a lottery ticket is an opportunity. If you choose to pursue the opportunity and buy the lottery ticket, you are subject to a negative and a positive risk. The negative risk is that you will not win and lose the money you paid for the ticket. This has a high likelihood. The positive risk is that you will win the lottery. This has an extremely low likelihood."
Answer:
First, let's consider some definitions:
ISO Guide 73, which defines a vocabulary for risk management, defines risk as "effect of uncertainty on objectives". This guide also notes that risk can be positive or negative, characterized by referring to potential events and its consequences, and the likelihood of their occurrence.
For Merrian-Webster dictionary, an opportunity is "a favorable juncture of circumstances" or "a good chance for advancement or progress". In short, an opportunity is a situation with a possible positive outcome.
When we compare the above definitions, a "favorable juncture" refers to a positive effect and "circumstances" are events. Considering the other Merrian-Webster definition, "good chance" is a likelihood and "advancement or progress" refer to positive effects. Then, considering these definitions, opportunities can be a synonym for positive risks.
Second, it is important to note that if you are exposed to a risk, negative or positive, once you are aware of it, you do have choices. You can choose to do nothing (alternatively called "accept the risk"), or you can work on elements of the risk to increase/decrease the chances of its occurrence and/or the impact it may have on you. Pursuing is one way to treat a positive risk/opportunity (also called "risk exploiting"). A joint venture is another way to treat a positive risk opportunity when you look for a partner that can help the positive risk to happen and share the reward.
Considering your lottery example, if you do not buy a ticket you are not exposed to the risk (you do not have the opportunity to win). If you buy one ticket, now you have the opportunity to win (you are exposed to a positive risk). You can decide to do nothing more (not buying other tickets), or buy more tickets, and then you are pursuing the risk/opportunity, by increasing your chances (likelihood). -
Inventory of assets
My question is about the inventory of assets. We use ConnectWise Automate to keep an inventory of all our IT equipment, so can I just write in the Inventory of Assets document that “An inventory of all our IT hardware can be found in ConnectWise Automate”? -
Legal requirements for ISO 22301
Answer:
Examples of legal and regulatory requirements for ISO 22301 are:
- Service agreements with customers or suppliers
- NFA Compliance Rule 2-38: Business Continuity and Disaster Recovery Plan (CFTC – Commodity Futures Trading Commission) (regulation)
- IDA By-Law 17.19 – Business Continuity Plan Requirement (OSC (Ontario Securities Commission))
Regarding details to be considered, you have to identify items like: requirements for the recovery time to be achieved (e.g., minimal business activities must return after no more then 3 hours after a disruption), technologies or infrastructure to be used, etc.
To see how a list of requirements looks like I suggest you to take a look at the free demo of this List of Legal, Regulatory, Contractual and Other Requirements at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/
These articles will provide you further explanation about identification of legal requirements:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ (although this article is about ISO 27001, the concept also applies to ISO 22301)
- Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
List of ISO standards users
Answer:
Unfortunately there is no central list of certified organizations (you must consult each certification body to track which companies are certified by them).
However, the ISO site provides an ISO survey where you can find general information about certifications, like total quantity, quantity per country, quantity industry, etc. It does not nominate organizations.
You can find this survey at this link: https://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objAction=browse&viewType=1 -
Is there a way to customize intake forms when filling out a customer complaint?
Answer:
According to the requirement 8.2.2 Complaint handling, following data are necessary for each customer complaint:
-Date of receiving the complaint
-Complaint description
-Who received a complaint
-Who reviewed it – investigated it – is it reasonable or unreasonable
-Suggestion for complaint treatment
-Who approved suggestion
-Execution deadline
-Responsible for execution
-Is there any corrective or preventive action initiated
It can be done in table form. When taking the customer description, be sure to take the Lot number and to how many pieces of the medical device this compliant referred to. When you create a form that will cover all of these elements, you must ensure that such a form is available to anyone who needs it whenever they need it.
For more about handling customer complaints, please read article: How to comply with ISO 13485: 2016 requirements for handling complaints
https://advisera.com/13485academy/blog/2017/03/21/how-to-comply-with-iso-134852016-requirements-for-handling-complaints/ -
Implementing asset register
eh investigado sobre los anexos de la iso y quisiera enfocarme en los activos de una empresa osea que el auditor pueda acceder al sitema y registrar los activos de la empresa"
("I have to make a system for an auditor, using the standard iso 27001 and investigated the annexes of the iso and I would like to focus on the assets of a company that allows the auditor to access the system and register the assets of the company ")
Answer: For the implementation of an inventory of assets I suggest you to take e look at the free demo of this Inventory of Assets at this link, to see if it can fulfill your needs: https://advisera.com/27001academy/documentation/inventory-of-assets/
The purpose of this document is to list all the important information resources and identify their owners.
This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Regarding how to setup a system of internal audit, the main steps are:
- Develop an internal audit procedure
- Plan your audits, considering dates, criteria and scope
- Develop checklists to help you not forget something during the audit
- Elaborate the audit report which will include the non-compliances and other findings
These articles will provide you additional information about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
Additionally, this toolkit can help you plan and perform an audit compliant with ISO 27001: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
At this site you can download a free preview of the documents to see how they look like and if they can fulfill your needs. -
Develop process indicators
Answer
Please consider our free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/ There one can find the rationale for developing effectiveness indicators and a monitoring plan:
On our free webinar on demand – The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ one can find an example of a flowchart that describes the flow of activities:
Any situation where a diamond question box appears can be used to develop efficiency indicators, or product/service conformity indicators.