Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 45001: Defining the scope
Answer:
Clause 4.3 of ISO 45001:2018 includes a lot of requirements describing what to consider when determining the scope of your OHSMS, stating that the scope is the boundaries and applicability of your OHSMS. This can be confusing, but it is helpful to think of the scope of your management system as “where the rules of the management system apply”. So, for your company where will the rules, policies, processes and procedure that you put in place to promote occupational health & safety apply.
If everything you do is in one building, then this one building will encapsulate the scope of your OHSMS. If you have employees who travel to other locations for business, then these locations will be part of your scope since the OH&S rules apply to them as well. So, you need to look at all of your activities as a telecom provider and determine where your OHSMS information needs to be used.
For more information on the scope for the OHSMS, see the ar ticle: How to determine scope of the OH&SMS, https://advisera.com/45001academy/blog/2015/12/09/how-to-determine-scope-of-the-ohsms/ -
AS9100 Transfer of work procedure
Answer:
The requirements for work transfer are included at the end of clause 8.1, operational planning and control, and include some very simple requirements. Basically, when you need to transfer work (either permanently or temporarily), have a process to plan this transfer so that you continue to have product and service conformity. When doing this make sure you manage the impacts and risks or the transfer. The note then forwards you to clause 8.4 if you are transferring work to an outside provider such as a supplier, or to clause 8.5 when you are transferring work into your organization.
It is important to note, that the standard doesn’t require you to have a procedure specifically for work transfers. If you are transferring work to a supplier then this is the same as any other purchase for a supplier where you assess the risks of the supplier and decide what controls you need for that supplier so that you get the right product or service. For this I would simply add information into the purchasing procedure about following these assessments for work transfer to supplier.
Likewise, work transfer into your facility is the same as any work you are going to accept into your product and service provision process, you will assess the risks and controls before you start. In this case I would *** some statements into the procedures for the production department about work transfers following the same assessment route. In both cases, why confuse people by having a separate procedure that is almost never used when the information could be in a clause of their standard procedure.
If you are looking for specific template for these procedures, or any others, you can see samples in our AS9100 Documentation Toolkit, https://advisera.com/9100academy/as9100-documentation-toolkit/ -
Document signing
Answer
There is no rule for that. With the signature you want to evidence that someone with authority approved the document. That someone has a position. For example, Mary approves document A not because she is Mary but because she occupies the Quality Manager position. Adding the printed name is a possibility but sometimes occupies much needed space.
The following material will provide you information about documents:
- Article – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- - Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
To be or not to be part of the overall process map
Answer
There is no straight answer without further information. Being part or not of the process map is a function of the importance of the IT department in serving the relevant interested parties. For many organizations what I see is that IT is more a background process and the use of Standard Operating Procedures (Work Instructions) is enough. For other organizations IT is fundamental and they appear in the process map. Also, please do not consider a department as the same as a process. In what flow of activities does the IT department appear? For example, there might be their participation in 1 or 2 steps in the integration of a new employee.
The following material will provide you information about processes:
- Article – ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it -https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
- Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/ -
People as asset
Answer:
ISO 27001 does not prescribe who should be the asset owner, but in general, if by people you refer to an employees hired by an organization, then the asset owner is their superior in the organization. On the other hand, if by people you refer to a hired freelancer, consultant or similar, that will work for the organization only for a defined time, and for a specific work, then the asset owner should be the person with whom the contract is signed.
This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Service Desk user satisfaction survey
Answer:
First of all, you need to have in mind that questionnaire you'll send to your customers need to have follow-up. That means - from the answers you'll receive there must be a clear conclusion and plan what to do with it (especially when the answer implies something that is not OK).
I would suggest to divide questions in two groups:
1. Communication related - that would give you the answer regarding communication capabilities of your staff. So, questions could be: Do Service Desk (SD) staff communicates in clear and unambiguous way? Are they calm and patient when talking to you? Are their explanations and/or reasoning understandable for you?
2. Competence related - here you'll get feedback about the quality of your SD staff work. So, here are few examples: Do you get your issues resolved while calling our SD? What is the quality of provided solutions? Are the issues resolved in timely manner (be careful while interpreting the answer - users need to be familiar with SLA)?
This article can help you further: "
Service Desk staff – a window to the IT organization" https://advisera.com/20000academy/blog/2014/02/18/service-desk-staff-window-organization/ -
Gap analysis questionnaire
Answer:
For a quick and initial diagnosis of your company readiness for ISO 27001, I suggest you our ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
It has a simple question-and-answer format that allows you to visualize which specific elements of an information security management system you’ve already implemented, and what you still need to do.
For a more complete view of what an auditor would look for, I suggest you to take a look at the free demo of our Internal Audit Checklist: https://advisera.com/27001academy/documentation/internal-audit-checklist/
For each clause or control from the standard the checklist provides one or more questions which should be asked during the audit in order to verify the implementation.
Regarding in-depth questions, they are most related to technical competencies and daily operational practices, and to have an insight for them I suggest you our security awareness program: https://advisera.com/training/awareness-session/security-awareness-training/
It has a set of short videos to educate your employees about simple techniques for protecting company information -
Metodologías para abordar riesgos
Respuesta:
Para empezar siempre recomiendo llevar a cabo una metodología simple como es por ejemplo llevar a cabo una reunión con los cargos más relevantes de la organización (ej. jefes de departamento, alta dirección, etc.) en la que se realice un análisis DOFA. En este análisis de identificarán debilidades, oportunidades, fortalezas y amenazas de la organización y el contexto en el que se encuentra. Por lo tanto, no sólo va a ayudar a identificar los riesgos y oportunidades de la compañía sino que va a ayudar a determinar las cuestiones internas y externas del contexto, dando cumplimiento a la cláusula 4.1.
También pueden ser empleadas otras metodologías más complejas, como es el caso del Análisis de Modo y Efecto de Fallo (AMEF). Este método se utiliza cuando se realiza el diseño de un proceso o un producto y su objetivo es la identificación de todos los posibles problemas que pueden surgir, clasificar la criticidad del riesgo y determinar qué acciones tomar al respecto.
P ara saber más sobre cómo abordar riesgos y oportunidades en la organización, puede ver los siguientes materiales:
- Artículo - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Artículo - How to identify risk significance in ISO 9001:2015: https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
- Libro - Discover Iso 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
ISO 45001 required documentation
Answer:
ISO 45001:2018 does include many required pieces of information that need to be documented, and this is indicated throughout the standard by the term ‘documented information’. Where you see the term documented information, this means the evidence for the clause needs to be written down. Additionally, there are procedures and records that the company will identify as necessary documentation, with the rule of thumb being “If we don’t document this will there be a nonconformity?” If there will be a nonconformity, then the information should be written down.
We have created a free whitepaper with a listing of the required documented information from ISO 45001, and a list of other commonly used documents and records. This can be found here: Checklist of Mandatory Documentation Required by I SO 45001, https://info.advisera.com/45001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-45001 -
Control applicability
Answer:
First you have to identify if these new features and customization involves new/updated code or just parameterization of existing components/features (e.g., implementation of a new workflow, activation of a preexisting feature, etc.), and if the risks involved are unacceptable (so you have a justification to implement the control). In case it involves new/updated code the control A.14.2.7 (Outsourced Development) is applicable, otherwise, control A.12.1.2 (Change Management) would be more appropriated.
It is important to note that since these activities are performed by outsourced provider, the needed control must be a part of your con tract or service agreement with this provider.
These articles will provide you further explanation about security in suppliers relations:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/