Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Integrating management systems
Answer
Bellow you can find information about integrating a QMS and a EMS. We have articles, webinars and toolkit.
The following material will provide you information about integrating management systems:
- Article - Integrating ISO 9001 and ISO 14001 - https://advisera.com/9001academy/blog/2013/11/19/integrating-iso-9001-iso-14001/?icn=free-blog-9001&ici=top-integrating-iso-9001-and-iso-14001-txt
- Free webinar on demand – How to integrate ISO 9001:2015 and ISO 14001:2015 - https://advisera.com/9001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar-on-demand/
- ISO 9001:2015 & ISO 14001:2015 Integrated Documentation Toolkit - https://advisera.com/9001academy/iso-9001-iso-14001-integrated-toolkit/ -
Cookie acceptance
Answer
My advice is that all cookies that are nor technical/strictly necessary cookies should be placed on the visitor's browser only based on consent especially if we are referring to tracking cookies. -
Wording in ISO 9001
Answer:
You are correct, depending on the wording used documented information is mandatory or not mandatory. These are the words used in ISO (International Standard Organization) and their definitions:
- "shall" indicates a requirement
- "should" indicates a recommendation
- "may" is used to indicate that something is permitted
- "can" is used to indicate that something is possible, for example, that an organization or individual is able to do something
For more information about mandatory documentation in ISO 9001:2015, see these materials:
- Article - List of mandatory documents required by ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Book - Managing ISO documentation: a plain English guide: https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Free on line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Relationship between QMS and Risk Management
Answer:
Following ISO 9001:2015, I recommend determining risks about:
the overall intended results for the QMS;
products and services provided by the organization; and
management system processes.
Once determined the risks, risk management includes analyzing and evaluating those risks, determining the most relevant and deciding about what actions to develop in order to manage (control, eliminate, reduce, …) those risks. This way Risk Management allows an organization to focus on problematic areas and improve a QMS performance and outcomes. For example, an organization can decide where to perform quality control or where to use Standard Operating Procedures, to minimize certain risks from happening.
How should two departments QMS and Risk Management work together?
Answer:
Risk Management Department can monitor risks and their classification and work with the Quality Department in defining and implementing action plans the relevant risks
The following material will p rovide you information about competence:
- Article – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
- ISO 9001 document template: Procedure for Addressing Risks and Opportunities - https://advisera.com/9001academy/documentation/procedure-for-addressing-risks-and-opportunities/
- Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 45001:2018 implementation
Answer:
The easiest way to implement your occupational health & safety management system (OHSMS) is to perform a gap analysis of what you already do against the requirements of the standard and then to put in place those things which you are missing. Every ‘shall’ requirement from the standard (anywhere that the work shall is used) represents something that you need to do in your OHSMS.
If you are starting from having nothing in place, the order of the standard is also very useful to follow as it mostly walks you through what needs to be put in place in the order that you might need to do so (for example, it starts with identifying what you organization is so that you can define the scope well). Unfortunately, there is no short cut to implementing the processes that you do not already have other than getting a helpful toolkit that will assist in documenting the processes.
After implementation, you will need to use your processes and then review and correct them as time goes on.
For a graphical representation of the ISO 45001:2018 implementation steps, see: Diagram of ISO 45001 Implementation Process, https://info.advisera.com/45001academy/free-download/diagram-of-iso-45001-implementation-process -
ISO 27001 consultant's questions
Answer: For ISO 27001 self-assessment, you can suggest your customers to use our free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
It has a simple question-and-answer format that allows your customers to visualize which specific elements of a information security management system they’ve already implemented, and what they still need to do.
2. Would it be possible to obtain just the flowchart diagram without reference to the source?
Answer: It is not clear to which flowchart diagram you are referring to, but each time you quote or use part of material from an ISO standard, or from Advisera website, you need to refer to the source. -
Monitoring a QMS
Answer:
You have a QMS with:
* overall desired results (quality objectives); and
* a set of processes (each process with one or more performance indicators).
So, an organization can develop a QMS monitoring tool based on a scorecard with those topics:
* what to measure;
* target;
* current performance;
* monitoring frequency.
The following material will provide you more information about QMS monitoring:
- Article – Monitoring and Measurement: The basis for evidence-based decisions - https://advisera.com/9001academy/blog/2020/09/21/how-to-perform-monitoring-and-measurement-according-to-iso-9001/
- Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Risk assessment on BCP
1. Write the methodology (EBIOS: 2010 complying with ISO 27005)
2. Prepare Metrics (confidentiality, Integrity, Availability, Impact, Likelihood, risk apetite, maturity of controls...)
3. Risk management criterias
4. Essential Assets (Process)
5. Support Asset (Hardware, Software, network Links, persons, papers..)
6. Link between Essential assets and support assets
7. threat sources (humans, non humans ..)
8. Feared events (concerning the essential assets)
9. Threats scenarios (concerning the support assets)
10. Risk analysis (Impact, Likelihood, risk level, existing controls, Annex A, Prevention, protection, recovery, maturity, Action Plan , and recalcul Impact, Likelihood, Residual risk level, and acceptance of residual risk)
Is this methodology correct ? And what is next to do for continuing the implementation of BCP? I know I'm using the ISMS risk management methodology, is this right ?
Answer:
First it is important to note that risk a ssessment is mostly related to Business impact analysis (BIA), when you define which business processes and services are more critical, not Business Impact Plan (BCP), when you define actions to handle a disaster situation.
Considering that, ISO 22301 does not prescribe which risk methodology approach to use, only that risk assessment must be performed, so you can adopt any methodology you see fit for your organization, and the risk assessment and treatment methodology for an ISO 27001 ISMS can be adopted.
The single point of attention is that for business risk analysis you have to consider additional criteria than only confidentiality, integrity and availability (e.g., financial, environmental, etc.), so I'd suggest you to also consult ISO 31000 as reference, since it can provide additional criteria.
These articles will provide you further explanation about BIA, BCP and ISO 31000:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ (the concepts on this article can also be applied to ISO 22301). -
Audit results
Answer:
Once surveillance audit is concluded the auditor must hold an audit closure meeting, informing among other things the results of the audit:
- any non-conformities (minor and/or major), opportunities for improvement, and observations identified
- his recommendation for the certification body (certification maintenance, certification maintenance after presentation of action plan to handle minor conformities, or certification on hold until major nonconformites are handled)
After the audit closure meeting the auditor must deliver a copy of the audit rep ort and, in case there are nonconformities to be handled, define a deadline for the deliver of the action plan / solving of major nonconformities. -
Practice for collection of evidence
Answer:
ISO 27001 does not prescribe specific rules for evidence collection, and this is not a commonly used procedure, so we do not have an specific template, but these are good references you can look for to develop rules to your organization:
- SANS Digital Forensics and Incident Response Blog: https://digital-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-evidence-collection/
- NIST Guide to Integrating Forensic Techniques into Incident Response: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf