Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Audit findings and definitions


    Answer:
    When an auditor performs an audit, he or she compares the reality with the audit criteria. If the reality is not according to the audit criteria, we have a Non-Conformity. If the reality is according to the audit criteria, we have a Conformity.
    Even when the auditor identifies a Conformity he or she can also find, due to his experience, an Opportunity for Improvement. Some auditors also use word Observation.
    Based on ISO 19011:2018 one can say that:
    Non-Conformity – it is when an audit criteria, a requirement is not fulfilled
    Conformity - it is when an audit criteria, a requirement is fulfilled

    ISO 19011:2018 and ISO 9000:2015 do not have definitions either for Opportunity for Improvement or for Observations. Nevertheless ISO 19011:2018 states that the findings of an audit can lead to opportunities for improvement but onl y defines improvement. An activity to improve performance.
    So, the evidence presented indicates that a requirement has been effectively implemented, but based on auditor experience and knowledge, the organization can take advantage of modifying its approach.

    You can find more information about audits:
    - Article - How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
    - [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • Consultant becoming internal auditor


    Answer:
    I can give you my own experience; I have done that several times without problems raised by certification bodies.
    If you check the definition of auditor on ISO 19011:2018 versus the one on ISO 19011:2011 you can see that the independence requirement was dropped. See also ISO 9001:2015 clause 9.2.2 c), what is important is to ensure objectivity and impartiality. I work on that by preparing my checklists and leaving audit reports that describe precisely what I found.

    You can find more information about audits:
    - Article - How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
    - [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ ernal-auditor-course/
    - book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • Right of erasure


    Answer:

    Both work just the same as long as the deletion or anonymization is permanent.

  • Official versions


    Answer:
    That E stand for the official version in English. For example, the French version has EN ISO 9001:2008 (F) where the F stand for the official version in French.

    The following material will provide you information about ISO 9001:
    - ISO 9001 – What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
    - Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book – Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Processes and environmental management system


    Answer:
    The basis for an environmental management system is your list of environmental aspects and impacts, the way your organization interacts with the environment. You can relate each environmental aspect and impact with the processes where they are originated. So, you only need to plan for the processes where relevant environmental aspects and impacts occur, and for those associated with compliance obligations even if they are not considered significative.

    The following material will provide you information about assessment of environmental interactions:
    - ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
    - List of ISO 14001 im plementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Process mapping

    We've received other questions:

    > 1. On the process map will follow turtle diagram of each processor flow chart ok?

    Answer 1:
    Turtle diagram and flowchart are both useful for describing different topics about a process.
    The turtle diagram systematizes a whole set of information about a process:

    See - https://www.screencast.com/users/ccruz5284/folders/Default/media/df217339-8683-4c05-ad46-a78a76be4820

    The flowchart describes the flow of activities and who participates between the inputs and the outputs:

    See - https://www.screencast.com/users/ccruz5284/folders/Default/media/540b7a2a-2f8b-438f-bd25-1866521c79ee

    > 2) process Acquire materials and services we will have even if we don’t buy any material for production ok?

    Answer 2:
    Perhaps the name is not the best one, but the idea is to capture the activities about Picking up the materials and everything until assembling starts. Besides the materials and components, are there not any important products or services that your organization acquires from suppliers?

  • ISO 9001 and nonprofit organizations


    Answer:
    Yes, nonprofit organizations can apply for ISO 9001 certification. You can look into hospitals and governmental organizations, for example.

    The following material will provide you information ISO 9001:

    - ISO 9001 – What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
    - Free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book – Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/iso-standard/iso-9001/

  • Internal auditor competence


    Answer 1:
    Each organization has the authority to determine its competency requirements for its internal auditors. Normally, organizations consider that internal auditors should have knowledge of the audit criteria (ISO 14001:2015 in this case) and should have training in internal audits. So, your internal quality auditors should be prepared to audit your environmental management system after the training with ISO 14001:2015.

    Question 2.
    What would I need to conduct internal audits myself?

    Answer 2:
    I would recommend training about ISO 14001:2015 and an internal audit course. As a plus I would recommend that you participate as auditor, making part of an audit team, in 2 or 3 internal audits. Attention, I don’t recommend that internal auditors perform global internal audits. Normally, they don’t have time and experience for t hat, I recommend splitting the scope of the environmental management system into 3 or 4 audits along a year.

    Question 3.
    What is needed for me to train auditors for internal auditing?

    Answer 3:
    If you want to be the trainer; I recommend that first, you gain some experience as an internal auditor. Perhaps after 3 or 4 internal audits as a lead internal auditor.

    Question 4.
    Is an internal audit conducted by someone without proper certification a non-conformance?

    Answer 4:
    Yes, it is a nonconformance.
    A possibility is to contract an external auditor to perform your internal audit before having competent internal auditors.

    The following material will provide you information about internal audits:
    - ISO 14001 – What competencies should an ISO 14001 internal auditor have? -https://advisera.com/14001academy/blog/2016/07/04/what-competences-should-an-iso-14001-internal-auditor-have/
    - Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
    - Free course – ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

  • Data Processor Articles in GDPR


    Answer:

    The responsibilities of data processors are set out in Art. 28 - "Processors" of the EU GDPR.

    These obligations include:

    •The processor may only use a sub-processor with the consent of the controller. That consent may be specific to a particular sub-processor or general. Where the consent is general, the processor must inform the controller of changes and give them a chance to object (art. 28(2), art. 28(3)(d));

    •The processor must ensure it flows down these obligations to any sub-processor. The processor remains responsible for any processing by the sub-processor (art. 28(4));

    •The processor must assist the controller to comply with requests from individuals exercising their rights to access, rectify, erase or object to the processing of their personal data (art. 28(3)(e));

    Also, be aware that is impossible to be only a processor if you have employees you will be a controller as regards to the data of your employees the same goes for the data collected via your website (if you have one).

  • Performing risk assessment


    My reasoning is based on the understanding that risk assessment (where assets and their associated threats and vulnerabilities are defined and evaluated) are then treated by controls. Therefore, Annex A is a collection of controls used to treat risks associated with certain assets.

    As an exercise to improve my understanding, I have tried to link the Annex A controls back to assets but I’m finding that a bit challenging. For example, what asset(s) would be tied to control A.5.1.1 (“A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.”)? Working backwards using an Asset, Threat, Vulnerability approach, I came up with:

    Control: A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.

    What vulnerabilities would warrant such a control? Lack of or uncl ear Policy. Lack of support for Policy by Management. Lack of awareness of Policy with employees and relevant external parties.

    What is the threat? Lack of management direction and support. What asset? Any information security asset with risks controlled by Policy.

    Could you give some advice on how you see the Annex A controls relating back to assets in need of protection?

    Answer: First it is important to note that for ISO 27001 the final purpose of risk assessment and treatment is to protect information and related assets, not implement controls (for risk treatment control implementation is only one available alternative), so working backwards on the asset-threats-vulnerabilities methodology, by identifying which assets can be tracked to controls from ISO 27001, is a non-productive work that should be avoided (this approach will definitely not work on an implementation project).

    Working this way you will be involved in an effort to identify assets for controls that you may not even need to implement, because there will be no relevant risks or legal requirements demanding its implementation, spending time and resources.

    So, you should focus on first identifying information and assets your organization deems important to protect, and then go for identification of controls to treat relevant risk.

    Considering that, risks you can relate to control A.5.1.1 involves assets vulnerable to user's error or improper behavior due to unclear or non existent rules or guidance (as you can see, a lot of assets can be included in this scenario, so the best approach is for you to identify which ones exist on your ISMS scope).

    This article will provide you further explanation about performing asset-threat-vulnerability risk assessment:
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you:
    - Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Page 570-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +