Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Corrective actions and corrections
Answer:
Since correction and corrective action have different focuses on what to solve this paragraph is necessary to avoid less instructed personnel on ISO standards to get confused. Since the template is fully editable, if you understand that for your organization this second paragraph is not needed, you can delete it (but we do n ot recommend this).
Regarding the form for corrective actions, ISO 27001 only requires the documentation of corrective actions, not corrections, so to avoid unnecessary effort this form does not cover corrections recording.
For further information, see: ISO 9001 – Difference between correction and corrective action https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
Although it is an ISO 9001 article the same concept applies to ISO 27001. -
Monitoring legal compliance
Is there any free services I can sign up to let me know when any legislation is modified or if there are any new ones to ensure I keep this up to date at all times.
Answer:
I don’t know any free service of that kind. In certain countries and certain industries, being part of a sectorial association can provide that service for free.
The following material will provide you information about compliance obligations:
- ISO 14001 – Compliance requirements according to ISO 14001:2015 – What has changed? - https://advisera.com/14001academy/blog/2015/09/14/compliance-requirements-according-to-iso-140012015-what-has-changed/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Starting a new document structure
We want to implement the New Document Structure for 2019 because we have so many things to change so we consider setting up the new document structure Start from Revision 00. My question is Can we do like that?
Answer
Yes, you can as long as it is clear that it is a new edition of the document structure. Some organizations include edition and revision in the document codification. Others consider the change in edition as a change in the format of the documentation. I helped an organization attain their certification in 2018. After certification we decided to change the process mapping and the document structure and naming and this year, they had their surveillance audit with their new document structure starting from revision 0 without problems.
The following material will provide you information about documentation:
- Article – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Transition and Construction
diferencias entre el iso 9001:2008 e iso 9001:2015
Answer 1:
You can find a great summary of those differences in this article - Infographic: ISO 9001:2015 vs. 2008 revision – What has changed? - https://advisera.com/9001academy/knowledgebase/infographic-iso-90012015-vs-2008-revision-what-has-changed/
Question 2:
2. iso obras de infraestructura
Answer 2:
You can find a case study of application of ISO 9001:2015 to a construction company in this white paper - Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf
The following material will provide you more information about ISO 9001 transition and construction:
- Article – Would construction companies benefit from ISO 9001? - https://advisera.com/9001academy/blog/2016/06/07/would-construction-companies-benefit-from-iso-9001/
- Free webinar – ISO 9001:2015 vs ISO 9001:2008 – The main changes - https://advisera.com/9001academy/webinar/iso-90012015-vs-iso-90012008-the-main-changes-free-webinar-on-demand/
- Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Physical controls selection
Answer:
ISO 27001 does not prescribe which controls for physical premises must be used.
A control is mandatory to be implemented only if:
- results of risk assessment identify unacceptable risks that can be treated by the control
- there are laws , contracts or regulations that require the control to be implemented
- there is a top management decision requiring the control Implementation.
If none of these occurs you do not have to Implement a control.
The following articles can provide you a view about physical protection:
- Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
- How to pro tect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/
This article will provide you further explanation about selection of controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
EU GDPR question
Answer:
The employer should have provided you with a Privacy Notice explaining what is it doing with your personal data as well as details on your rights as well, retention periods and other details as required under article 13 of the GDPR.
You can of course exercise you right to be forgotten and the employer (potential employer) and you should be provided with a reply within maximum of one month.
If you want to find out more about your rights check out this webinar “Data Subject Rights Under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/). -
Security requirements specification
Answer:
Version of existing information system refers to the codification used to identify a released software, so you can track the correct documentation regarding the development of that system.
For example, version 1.0 is commonly used to denote the initial release of a program.
Considering that, for each existing information system in the ISMS scope you must contact the internal development team, or manufacturer, responsible for that system to identify which is the current version on production environment. For some systems this information may be found on the main screen or as a sub-option on the "About" feature.
If you think any of the comments included in the template explaining which information has to be included in each field needs further clarification please let me know your specific doubt, so I can provide you a proper answer. -
Evidences of implementation
To comply with the standard, we created a Training procedure, however we cannot present evidences of its implementation. What can you advise us to do?
Answer
ISO 9001:2015 does not require a training procedure. Have your organization determined competence requirements for each job? Does your organization determine competency gaps? Does your organization provide training or other actions to eliminate those competency gaps? Does your organization evaluate the effectiveness of training or other actions to close those competency gaps? If your answer is not a yes to some of these questions you have to start recording evidences.
The following material will provide you information about mandatory documents:
- Article – Using Competence, Training and Aware ness to Replace Documentation in your QMS - https://advisera.com/9001academy/blog/2013/12/17/using-competence-training-awareness-replace-documentation-qms/
- List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Minor and major nonconformities and observations
I would like to ask for your opinion regarding our practice of declaring several minor non-conformities as a major non-conformity. The minor findings may be found in one or several departments and we usually call this system non-conformity.
Answer
I agree with that practice and use it myself in my audits. If I find several minor nonconformities about a similar topic throughout an organization, I normally write a major nonconformity because it is a systemic problem and each previous minor nonconformity support that conclusion.
Question 2
Another thing is whenever there are 3 or 4 observations, we elevate and consolidate them into a non-conformity.
Answer 2:
About observations I have a problem. There is no ISO 9000:2015 or ISO 19011:2018 definition of observation. What do you consider an observation? Your findings either are conformity or nonconformity. If they are conformities and you think there is an opportunity for improvement it is your opinion based on your experience. You as auditor can suggest that there is an opportunity for improvement. What do you consider as an observation?
You can find more information about nonconformities at:
- Article – How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
- Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Combined audits and integrated management systems
Answer
Yes, it is fairly common a certification audit being about more than one standard. For example, a combined audit concerning ISO 9001 and ISO 14001, or even a combined audit concerning ISO 9001, ISO 14001 and ISO 45001. If an organization has implemented an integrated management system and wants to obtain its certification it has to contact a certification body and agree on the terms. Again, it is a fairly common situation.
The following material will provide you information about integrating management systems:
- Article – How to integrate ISO 14001 and ISO 9001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
- Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover IS O 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/