Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Which of Compliance modules in Conformio are required by the ISO 13485&14971?
Answer:
You can use following Compliance modules: Customer complaints, Nonconformities, Corrective actions and Internal audits. But you can also use the templates from the toolkit for the same purpose - whatever suits you better. -
Is there a requirement for periodically documents review?
Answer:
There are no strict requirements for a periodical document review. In the clause 4.2.4. b) is stated that update of documentation should be done as necessary .
It is, therefore, left to the choice of every organization to assess this period on their own, and to set the criteria that will determine the periodical update. The purpose of the periodic review of documents is to make sure that all processes are carried out as described. There are often times that someone accidentally makes a small change in the steps, so once the colleagues take over the project, there is a discrepancy between what was provided in the first place and what was later done.
Therefore, when determining how often you will review your documents, consider the following:
1) whether there was a large fluctuation of people
2) whether you have changed equipment, facilities, resources, location
3) whether the managers of individual processes have changed and brought some of their own policies and practices.
It is common that the documentation is reviewed every two to three years, and, in extremely small companies, with 3 to 5 people, it is possible to review it every 5 years.
To learn more about other most common errors in the documentation control, please refer to this article: https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/ . -
Writing a nonconformity
Answer
If you keep things at such an abstract level, then the clause has to be very general. I would use clause 4.4.1 because of its introduction: failure to implement or maintain processes. Normally, nonconformities are defined at a much specific level. For example, failure to follow the internal process at the commercial level can be associated to clause 8.2.
The following material will provide you information about audit nonconformities:
- Article – How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
- ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
AS9100 Certification process summary
Answer:
The AS9100 implementation process goes through a few simple steps. First get management support, identify your requirements and scope and define and implement all your processes. Next rain everyone to the level needed and choose a certification body that will benefit your company. Operate your system to collect records, perform internal audit and management review to identify and corrections or improvements needed, and put in place corrective actions. Finally, the certification auditors will conduct a stage 1 documentation audit and a stage 2 certification audit where they will review all your processes against the AS9100 standard and your internal and customer requirements.
For a graphical representation of the AS9100 Rev D implementation process, see the free download: AS9100 Rev D implementation diagram, https://info.advisera.com/9100academy/free-download/as9100-rev-d-implementation-diagram] -
27001 certification audit
Thank you very much Rhand. -
Wiki as document repository
Given that the wiki is only accessible to the company staff, maybe a copy paste and an indication to revise the procedure in the wiki, which is the one that will be updated, would suffice?
Answer: ISO 27001 does not prescribe how to handle documented information, only that they must be handled properly, so you can use your wiki as long as you can fulfill the requirements for documented information management from clauses 7.5.2 and 7.5.3 (e.g., approval flow, records, preservation, etc.)
This material will also help you regarding documented information:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
By the way, by your answer it seems that you have redundancy - i.e., the same documents in wiki + in another format you use to upload information to wiki. If this is the case, be sure to avoid this redundancy, because it will only increase you administrative work. Keep only one format as your official repository for documented information. -
How to implement ISO in a Bank?
Answer:
The implementation of ISO 27001 is quite similar regardless the industry and size (what differs is the quantity of resources and complexity of deliverables), and the general steps are:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform risk assessment and define risk tent plan;
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions and opportunities for improvement.
This article will provide you further explanation about ISMS implementation:
- ISO 27 001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding implementation approaches, the most common are:
- Use your own staff to implement the ISMS
- Use a consultant to perform most of the effort to implement the ISMS
- Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.
Each one of them have their advantages and disadvantages. For more information, I suggest you the following materials:
- 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
- ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/ -
Risk management for email service
Answer: The process is similar, in this case:
- Asset: Email service
- Threat: Disruption of service / inability to send and receive emails
- Vulnerability: No alternative provider
- Control: Open account with other email service provider(s) as a backup
- Asset: Email service
- Threat: Disruption of service / inability to access existing emails
- Vulnerability: The data is not backed up
- Control: Use local email client to archive all emails