Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Developing a checklist
Answer:
Below you can find an article about developing an ISO 9001 audit checklist, a link to our internal audit toolkit (with a preview to our Internal Audit Checklist), a link to a free course on ISO 9001:2015 Internal auditor course and a link to a book on internal audits.
- Article - ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
- Article - ISO 9001:2015 Internal Audit Toolkit - https://advisera.com/9001academy/iso-9001-2015-internal-audit-toolkit/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Managing regulations of different countries
Answer:
First it is important to define how the regulations will be identified and by whom, and after that how you will control them. For that I suggest these templates:
- Procedure for Identification of Requirements https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/
- List of Legal, Regulatory, Contractual and Other Requirements https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/
In case you have the regulations documents in electronic form, you also have to consider a documentation repository with control and searching capabilities, so I'd suggest you to take a look at our Conformio platform at this link: https://advisera.com/conformio/
With Conformio’s bu ilt-in document management system, all your company documents and files are maintained in one place, allowing multi-user access in a safe and secure environment to store all your valuable information.
For further information see:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- Does ISO 27001 help CCPA compliance? https://advisera.com/27001academy/blog/2018/10/16/does-iso-27001-help-ccpa-compliance/ -
Surveillance audit schedule
Answer:
After a successful certification audit, the certification auditor must provide the organization with a general agenda for the surveillance audits, which will display the intended audits for the surveillance cycle. Near each surveillance audit the certification auditor must align the details of the audit with the organization. So, in short the organization must have an idea of the scope of the next audit.
Considering the size of your organization, most probably all the scope will be audited on each surveillance audit, but you have to check this information with your certification body.
For further information see:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
List of Legal, Regulatory, Contractual and Other Requirements
First it is important to note that you only have to develop such list if control A.18.1.1 (Identification of applicable legislation and contractual requirements) is applicable to your organization (the main clauses of the standard only require that such information must be considered with no need to document it).
Regarding a partially filled document, unfortunately such information is protected by confidentiality agreements with our customers, but here is a practical example of how to fill this template:
Consider that, a customer named Jon has a service level agreement with your company which defines, on clause 32-b, that access to all information provided by the customer to information system ABC are restricted to customer personnel only. In this case the person responsible for system ABC is responsible to ensure compliance of the system to this requirement. Then your document would be like this:
Interested party: Customer Jon
Requirement: Clause 32-b (Information provided to system ABC are restricted to customer's personnel)
Document: Service level agreement
Person responsible for compliance: System ABC administrator
Deadline: when system ABC is made available for customer use
Besides Service Level Agreements, you should consider laws and regulations applicable to the locations where you operate. For identification of specific requirements for your organization we recommend you to seek for expert legal advise. -
Can the same set of documents be used for the new company?
Answer:
You can use the existing technical file and documents for the same product that you will be producing in the new company.
For more information, please read article:
How to meet ISO 13485:2016 requirements for medical device files
https://advisera.com/13485academy/blog/2017/06/28/how-to-meet-iso-13485-requirements-for-medical-device-files/ -
Using the risk approach to design control practices
Answer
Let us imagine that you observed the activities around the reception of customer goods to be stored in your warehouse. Let us suppose that you only noted the following activities:
Receive truck;
Check papers;
Determine storage location;
Unload truck;
Store goods;
Update inventory.
Now, you can apply the risk-based approach and think, with people that work on the process, what can go wrong in the process?
And you list things like:
Receiving goods not addressed to us;
Receiving goods (quantities and/or references) different from what is the cargo manifest;
Receiving goods with damaged or violated packaging;
…
Now, if you apply a risk evaluation you can classify risks as critical or not critical. If your organization considers any of the risks determined as critical, you should consider an action plan to handle those risks. One of the action plans can be checking quantities and references during unloading of the cargo and recording the result somewhere. Another action plan could be creating a set of pictures that will be used to classify a damaged or violated packaging as relevant, to be recorded and communicated immediately to the client.
Your organization will not use the products but will be responsible for their quantities and state while in your warehouse.
The following material will provide you information about the risk approach:
- Article - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
- How to identify risk controls in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/21/how-to-identify-risk-controls-in-iso-90012015/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- Free course – ISO 9001 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Audit evidence and management review purpose
Answer: If control A.12.6.1 (Management of technical vulnerabilities) is applicable to your organization, and it is implemented by means of Vulnerability Assessment and Penetration Testing, then you may have to show the results to the auditors as evidence that this control is implemented and working properly. Of course you do not have to show all results, only the quantity required to evidence the control is implemented
For further information, read:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
2. What is the difference between an internal review and internal audit?
Answer: I'm assuming you are referring to management review. Considering that, while the internal audit purpose is to verify if processes were planned according defined requirements and are being performed as planned, the purpose of management review is to evaluate if the expected results are bein g achieved and if plannings need to be adjusted.
These articles will provide you further explanation about management review and internal audit:
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/ -
Developing an ISO 27001 project
Answer:
First it is important to note that the purpose of this checklist is only to help you keep track of your project, so the only fill in you have to do is a check mark on each finished task.
To see documents that can help you with your project implementation, I suggest you to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
This toolkit has templates with clear instructions about what to write to develop and implement an ISMS based on ISO 27001
These articles will provide you further explanation about ISO 27001 and its implementation:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
T hese materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 benefits
Answer:
To obtain support of your top management for your ISO 27001 implementation project, you should present the potential benefits of ISO 27001, which basically are 4: Compliance, Marketing edge, Lowering expenses and putting your business in order. To know more about these benefits, please see this article “Four benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
This free webinar can be also interesting to know how to obtain the management support “ISO 27001 benefits: How to obtain management support” https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/ -
Quality policy scope
Answer
An organization develops a quality policy for the whole organization under the quality management scope.
The following material will provide you information about the quality policy:
- Article - How to Write a Good Quality Policy - https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
- How does the ISO 9001:2015 revision affect the Quality Policy? - https://advisera.com/9001academy/blog/2018/04/10/how-does-the-iso-90012015-revision-affect-the-quality-policy/
- Free course – ISO 9001 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/