Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Updating risk management process
Response:
There is a requirement in Clause 10.2.1 that requires to consider the validity of the risks and opportunities assesment and update it when a nonconformity occurs. Also you can consider to update the procedure when a relevant change happens within the scope of the QMS, e.g. change in technology
Usually the process of risk evaluation is performed once a year, but there is not a mandatory requirement about this in ISO 9001:2015. It corresponds to the organization to determine the frequency of updating this process according to its needs
To learn more about risk management in ISO 9001:2015, see these materials:
- Article - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Article - How to identify risk significance in ISO 9001:2015: https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Changes & exclusions in ISO 9001
2)is design and development of product and services applicable for production dept?
Response:
1) Clause 6.3 Planning of changes - ISO 9001 requires the organization to carry out changes in the QMS in a planned maner when it is determined the need of changes.
Having a plan include tasks, deadlines, responsibilities, resources, needed information, etc.)
Clause 8.5.6 - Control of changes - ISO 9001 requires the organization to review and control changes for products/service provision, to the extent necessary to ensure continuing conformity with requirements. Therefore it is necessary to stablish a process to manage changes, i.e. to review , approve and communicate that adequately changes have been implemented effectively. Also changes should be validated in order to not affect the QMS.
Basically clause 6.3 is referred to planning while clause 8.5.6 is referred to stablishing controls
Examples include : change in a process, change in exte rnal providers, changes in developing documented information, etc.
For more information about changes in ISO 9001:2015, see this article:
- QMS change management in 7 steps: https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
2) If you conduct in the Production Department some kind of Design and Development then requirements of clause 8.3.1 &8.3.2 apply. For example if your organization only accepts customer’s designs for manufacture then you can exclude this requirement from the scope of your ISO 9001.
For more information about design and development in ISO 9001:2015, see this article:
https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
Also these materials can help you to understand ISO 9001:2015 requirements:
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Policies levels
Answer:
High level polices are documents intended to be used by all organization, while low level policies, most known as operational policies, are intended to be used by specific areas or processes.
So, an ISMS generally has one Information Security Policy, providing high level guidance on how to implement and manage information security as a whole, and several security policies for different aspects of operation, like the Access Control Policy, Backup Policy, Development Policy, etc. Legal requirements your organization must comply with and the results of risk assessment are the bases to identify which polices you need to implement.
These materials will provide you further explanation about policies implementation:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Validity of a LA certificate
Answer:
The validity of a LA certificate refers to the period of time by which the certificate can be accepted as part of the process to become a certification auditor working for a certification body. For other purposes the LA certificate is valid as long as the version of the standard to which it refers is current. Considering that, if you are not going to apply for a certification auditor job you do not need to go for a LA course.
Also, since the standard version has not changed yet, there is no need to go for a LA course. -
Integrating ISO 18788 with other management systems
Answer:
The ISO 18788 management system standard for private security operations can easily be integrated with other ISO standards because it follows the same format. This means that there are many common requirements (which have the same clause numbers in all the standards) such as the context of the organization and interested parties, leadership, planning (including risk and opportunities) and legal requirements, support processes (competence, awareness, communication and documented information), performance evaluation (including internal audit and management review) and improvement (including corrective actions).
The way you integrate these systems is to ensure that the common processes mentioned above include all the aspects from the different management systems. For instance, you will need to identify legal requirements for environment (ISO 14001), OH&S (ISO 45001), and Security (ISO 18788) but you can use the same pro cess for identification and management of legal compliance. You will also need to ensure that processes like internal audit and management review include all of the processes from all management systems.
Finally, you will need to ensure that anything particular to ISO 18788 is included in the integrated management system if there is not an existing process. Most of these unique requirements are in section 8, Operations.
For more information on integrating management systems, see the free whitepaper: How to integrate ISO 9001, ISO 14001 and ISO 45001, https://info.advisera.com/9001academy/free-download/how-to-integrate-iso-9001-iso-14001-and-iso-45001 -
A.13 security controls from ISO 27001 Annex A
Answer:
A.13.1 refers to a subsection of ISO 27001 Annex A, which have three controls, A.13.1.1, A.13.1.2, and A.13.1.3.
Control A.13.1.1 is related to the general need to manage and control networks, by definition of responsibilities and procedures, as well as by implementation of practices and technologies.
Control A.13.1.2 refers to the need to identify and document applied security controls and service levels, as well as the need to periodically monitor network security performance.
These articles will provide you further explanation about network security:
- How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
- Using Intrusion Detection Systems and Honeypots to comply with ISO 27001 A.13.1.1 network controls https://advisera.com/27001academy/blog/2016/07/04/using-intrusion-detection-systems-and-honeypots-to-comply-with-iso-27001-a-13-1-1-network-controls/
- How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/
This material will also help you regarding network security:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
How contractors can help implement the OHSMS
Answer:
While it can be helpful to get some of this information from the contractors who are currently doing work, it is important to remember that this will not be the OHSMS of the contractor, but needs to be fully applicable to the company. For instance, it would be unreasonable for the contractors to be able to tell you the interested parties for your company, or to tell you what your OH&S policy should be. That being said, some of the clauses where the contractors might give valuable information would include:
4.2 – expectation s of workers (since the contractors are currently the workers)
6.1.2.1 - Hazard identification (for the processes that the contractors are using)
6.1.3 – Legal requirements (the contractors should know the legal requirements of the processes they perform)
7.2 – Competence (again, the competence requirements for the processes the contractors do)
8.1.2 – Eliminating hazards (for the processes the contractors perform hey may have some ideas)
8.2 – Emergency preparedness (the contractors may have plans in place for common potential emergencies that they can share)
For help in understanding the ISO 45001 requirements, check out this free whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001 -
Service Owner
Answer:
Service owner is someone accountable for the service throughout it's lifecycle. That includes defining requirements with the customer (together with Business Relationship Manager), design and transition inside the organization as well as maintenance and improvement.
These articles can help you further:
"Service Catalogue – Defining the service" https://advisera.com/20000academy/blog/2014/03/11/service-catalogue-defining-service/
"Service Catalogue – a window to the world" https://advisera.com/20000academy/blog/2013/03/19/service-catalogue-window-world/
Also, there is free webinar on this topic as well: "ITIL Service Catalogue from scratch " https://advisera.com/20000academy/webinar/itil-service-catalogue-from-scratch-free-webinar/ -
Cultura organizacional
Respuesta:
La cultura organizacional se refiere al conjunto de creencias, hábitos, valores y actitudes de una empresa. Esta cultura va a determinar la forma de funcional de una empresa y que se refleja en sus estrategias, su estructura y su sistema de trabajo.
Cambios en la cultura organizacional podrían incluir:
- Creación de equipos multidisciplinares que ayudan a la toma de decisiones con varios puntos de vista
- Introducción de beneficios sociales para los empleados como viajes, acceso a comida gratuita, gimnasio, etc.
- Introducción de las últimas tecnologías en los procesos de la empresa
Efectivamente el ingreso de personal de menor edad podría tener una repercusión en el cambio cultural organizacional de la empresa.
Para conocer más sobre la cultura organizacional, puede ver:
- Cómo identificar el contexto de la organizavción en ISO 9001:2015: https ://advisera.com/9001academy/es/knowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/
- Curso gratuito en línea de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Libro - Discover ISO 9001:2015 thorugh practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
How to fill in "Requirement" column
Answer:
A "requirement" is what a specific document requires you to perform - e.g. GDPR article 32 requires companies to use (where appropriate) pseudonymisation and encryption of personal data.
This article will help you more: How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/