Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • People and clause 7.1.2


    Answer:
    The standard requires that an organization has the persons considered necessary to effectively operate and control the quality management system.

    For example, a hotel may establish that breakfasts must be serviced by different number of employees as a function of number of guests, a hospital may establish that a certain service must has a certain composition in terms of number of persons and professional categories, a long distance bus company may establish a crew composition as function ok kilometers of the service. In other cases, legislation or regulation may establish a number of persons performing a role and their qualification.

    The following material will provide you information about resources:
    - ISO 9001 – How to create an ISO 9001:2015 human resources audit Checklist - https://advisera.com/9001academy/blog/2019/02/28/how-to-create-an-iso-90012015-human-resources-audit-checklist/
    - Free webinar – The Process Approach - What it i s, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
    - free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (deeply based on the process approach)

  • Risk management and the process approach


    Answer:
    When I work with organizations in determining their risks, I use three perspectives:
    I consider ISO 9001:2015 clause 4.4.1 – what can go wrong in each process
    I consider ISO 9001:2015 clause 5.1.2b) – what can go wrong with products and/or services
    I consider ISO 9001:2015 clause 6.1a) – what can go wrong with our intended QMS results, QMS objectives.

    “Some managers even ask if quality objectives are the same as the performance objectives.”

    Answer:
    Yes, one can say that quality objectives are performance objectives.

    “Can one process be used to meet several objectives.”

    Answer:
    Yes, one process can be instrumental to meet more than one objective. I like to make the relationship between objectives and processes very clear. That is why I recommend using a matrix like this one:
    https://www.screencast.com/t/OcMi80COZj
    This way one can find that currently there is no process in place that can help the organization to meet Objective A, and that Processes 1 and 3 do not contribute to any quality objective.

    “What is the main difference between process approach and risk management many people ask me.”

    Answer:
    The matrix above is a representation of the process approach. The intended results of an organization will be met through processes. There are no random results. If we don’t like current performance, we should act upon what we do, one or more of our processes. That is why in Quality there is the saying: Don’t blame the product (the result), blame the process (behind it). Risk management is about determining risks, evaluating them, deciding if some of them are significant, and act to reduce, control or eliminate those significant risks.

    The following material will provide you information about risks and the process approach:
    - ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Free webinar – The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
    - free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (deeply based on the process approach)

  • ISO 9001 and documentation for a Construction Company


    Answer:
    I recommend you start describing how the company works as a set of processes. Then, relate those processes with ISO 9001:2015 clauses

    When implementing a QMS I see it as a project with two work fronts: A and B.
    A is about modeling how the organization works based on what is called the process approach. Describing an organization as a set of interacting processes.
    See this generic example:
    https://www.screencast.com/t/95JMbgdO1CNa
    Then, for each process look for what can go wrong and should be improved, look for opportunities to take advantage, and see if ISO 9001:2015 requirements are already being met. Describe those processes in order to standardize your work.
    B is about where is the organization going to. It is about strategic orientation, objectives and plans to meet them. It is about overall risks and opportunities and what to do to manage them.

    “(2) How to define SOPs, KPIs and necessary documents?”

    Answer:
    ISO 9001:2015 clause 4.4.2a ) gives a lot of freedom to organizations about which documents to create. That will be a function of the complexity of your organization, of the experience and turnover of your employees, of the requirements of customers, and current performance challenges.

    The following material will provide you information about implementing ISO 9001:2015 in a Construction company:
    - ISO 9001 – Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/9001academy/free-download/case-study-for-iso-9001-2015-transition-in-a-construction-company
    - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    - Free webinar – The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
    - free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/

  • Organization of folder using Advisera template


    As we now move towards an ISO 13485 QMS additional to our existing ISO 17025 and maybe more QMS will follow we face the problem that we are doing so far everything manually, print, sign scan etc. The more documents we have the more probable is that we will miss something. Any suggestions from your experience how to simplify this work or how companies with several QMS system deal with this problem? I have seen that you speak about Conformio, would this be a solution or other suggestions?

    Answer:

    The structure of the folder is meant to give you a base to organize the QMS and to pr ovide you with an ease of accessibility and retrieval during the actual audit. So you can build the structure both ways depending on which suits you better in terms of organization and as long as you have the appropriate documentation in place to comply with ISO 13485.

    Notified body does not usually meddle with how the company organizes the structure of the folders so it is only important that you can provide the documentation when being asked for it by the auditors.
    Advisera has a platform known as Conformio which is a compliance implementation and maintenance platform that has a document management component that was purpose-built to support the certification process. It has a simple and user-friendly Document management system incorporated. You are able to upload, download, edit and delete your files, create new ones and sort them in folders which you can also add and manage. We will be happy to give you a tour if you are interested, please just let us know.

  • Identifying controls for internal audit

    1. e.g. I need to audit an E-Health software name X for instance, which controls do I need to use? let's say that I need to audit the authentication, fail over, vulnerability patch, data leaking, Privacy, compliance for GDPR etc....or even physical security. Every questionnaire contains a checklist of "27k2" questions. However, which questions from Chapter 5-18 do I need to use? all? or only the ones that are applicable but how do I know which ones or which controls are applicable or aren't applicable?..I m really lost.

    Answer:

    The main guidance to identify which controls to audit is the Statement of Applicability document. This document will inform you which controls were identified as applicable to this software and a general overview of the implementation approach and the implementation status. From the controls identification you can identify on the internal audit checklist which questions you should ask in your audit of this software.

    This article will provide you further explanation about performing internal audit:
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

    These materials will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/

  • Exclude design?


    Answer:
    Did your organization introduce new services in the last 5 years? For example, if a new epidemic appears, will your organization supply a new prevention and control service? If a new legislation requires changing the service specifications how will your organization plan and introduce those changes? If your answer is yes to one of these questions ISO 9001:2015 clause 8.3 is applicable.

    The following material will provide you information about the exclusions:
    - ISO 9001 – What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
    - - free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/ course/iso-90012015-internal-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • OHSAS 18001 to ISO 45001 Transition


    Answer:
    If you have already implemented another standard such as Iso 89001:2015 or Iso 14001:2015, then you will have implemented most of the new requirements for ISO 45001:2018 standard (such as context of the organization and interested parties) since the main changes in the standard have come from the re-formatting to Annex SL. Apart from this the most important thing to review are the requirements for consultation and participation of workers in the standard as this is also new.
    One of the best ways to ensure that you have everything is to perform a gap analysis. You can use a simple gap analysis such as this free ISO 45001 Gap Analysis Tool (https://advisera.com/45001academy/iso-45001-gap-analysis-tool/), or you can take each ‘shall’ statement of the standard and place this is a table with a column to assess if you already do this and where the information is located. You can then find what you are not doing, which are th e gaps that you need to address.
    For some help planning the transition from OHSAS 18001 to ISO 45001 see the whitepaper: Twelve-step transition process from OHSAS 18001 to ISO 45001, https://info.advisera.com/45001academy/free-download/twelve-step-transition-process-from-ohsas-18001-to-iso-45001

  • Melhorar a assertividade das metas

    Há outros fatores que possam melhorar a assertividade das metas?”

    Answer:
    Quando falamos de objectivos e metas a nível de ISO 9001:2015. Podemos estar a falar de objectivos e metas que decorrem da política da qualidade, ou de objectivos e metas que decorrem dos processos da organização.

    Os objectivos e metas que decorrem da política da qualidade serão tanto mais relevantes e assertivos quanto mais a política da qualidade estiver sintonizada com a orientação estratégica da organização. Por exemplo, se a estratégia de uma organização passa pela inovação, faz muito mais sentido que os objectivos da qualidade sejam sobre a inovação e os seus resultados, do que sobre a eficiência da organização.

    Já quanto aos objectivos e metas associados a processos, uso como técnica, definir primeiro a finalidade do processo, a sua razão de ser, e depois fazer um exercício de traduzir cada afirmação da finalidade em desafios quantificados. Por exemplo, estou a trabalhar com uma empresa que realiza pequenas obras de fibra óptica. Um dos seus processos chama-se “Ganhar adjudicação”. Qual a sua finalidade?

    Arranjar trabalho que dê rentabilidade à empresa;
    Cumprir o acordado sem falhas.

    A partir desta finalidade a empresa definiu os seguintes indicadores:
    Volume de trabalho adjudicado em euros;
    Rentabilidade EBITDA da empresa;
    Número de reclamações recebidas;
    Número de garantias accionadas.

    Os materiais que se seguem dão mais informação sobre o tema:
    - ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
    - Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
    - free course ISO 9001:2015 Foundations Course -https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Several questions about toolkit documents


    Answer: First is important to note that you have to define a list of special interests groups only if you have a requirement demanding this list (e.g., an unacceptable risk, contract, law, etc.).

    Considering that, special interests groups refer to persons or entities you must contact in specific situations (e.g., report an incident to a law enforcement authority, ask information about an equipment from a supplier, etc.), so you need to identify them. Only refer to regulations you must comply with will not be sufficient, either because they may not define which persons or entities must be contacted, or by referring only to the regulations an user looking for such contact still will have to search for it in the referred document, delaying any activity with requires this information.

    For additional information see:
    - Special interest groups: A useful resource to support your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms/

    2. Backup procedure: Is it enough to define this in the 'Security Procedures for IT Department', I saw that there's also a section in the 'IT Security Policy'.

    Answer: Please note that these two documents have different target users. While the 'Security Procedures for IT Department' defines the backup procedure to be performed by IT personnel, considering the backup of systems information used by the organization, the 'IT Security Policy' defines the backup procedure to be performed by general users regarding the information stored on their own computers, so you have to define procedures on both documents.

    3. Confidentiality Statement: Is this document useful without a reference to the Information Classification Policy?

    Answer: To be useful without referring to the Information Classification Policy, the Confidentiality Statement must contain in its clauses the definition of which information must be protected, how it can be identified (i.e., labeling rules), and how it must be protected.

    4. IT Security Policy & Security Procedures for IT Department: Information Transfer / E-mail and other message exchange methods relevant in context of the scope? The scope is limited to the datacenter, so all the operations in the office are not included in the scope.

    Answer: Even if the scope is limited to the datacenter, the processes and services running inside it still exchange information with elements outside the datacenter, so you have to consider these exchanged information when developing the IT Security Policy & Security Procedures for IT Department.

    5. IT Security Policy: Clear desk and clear screen policy relevant in context of the scope? The scope is limited to the datacenter, so all the operations in the office are not included in the scope.

    Answer: Information processed in the datacenter is still accessed by operators through remote connections, then the clear desk and clear screen policy must be developed considering these users (e.g., "datacenter operator, even working remotely, must lock his screen if they will be absent from his workplace").
    For additional information see:
    - Clear desk and clear screen policy – What does ISO 27001 require? https://advisera.com/27001academy/blog/2016/03/14/clear-desk-and-clear-screen-policy-what-does-iso-27001-require/

    6. Security Procedures for IT Department, [Name of change record] - in electronic form: Does the name of this record have to be the name of something specific which is part of an information system, or can I just call it "Change records" to refer to all the change records?

    Answer: There is no need to have specific names for different change records. You can refer generally to these records as "Change records", and specify on the Storage location column "The system where the change record was created". This way you create a link between the record and the system where it is used.
    For additional information see:
    - Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

    7. Records in general: Do I have to store some of the records in the intranet, or is it also allowed to store this on the laptop of a responsible person?

    Answer: ISO 27001 does not prescribe where to store records, so you can define the storage location as best fit for your organization.

    8. Difference A.12.5.1 and A.12.6.2

    Answer: Control A.12.5.1 (Installation of software on operational systems) refers to the implementation of procedures to control software installation in general, used by IT staff and general users, while control A.12.6.2 (Restrictions on software installation) refers to rules specific for non IT personnel regarding which software they can install.

    For example, you can have a procedure for installing antivirus software (which fulfills control A.12.5.1) that may define that all employees can install antivirus software, or that only IT personnel can install it (this rule in the procedure fulfills the control A.12.6.2).

    9. Do documents have to be signed?

    Answer: Only printed documents must be signed. For electronic documents other means may be defined to evidence that a document is approved (e.g., log or status in a document management system, or an approval email sent by the document owner).

    10. Corrective Action Form: Is it a problem if this isn't filled in by the day of the audit?

    Answer: The corrective action for can be filled in after the day of the audit, but it is recommend that this does not take too long to be done, because this action may be forgotten considering daily activities, and depending of the action required, any unneeded delay may be considered a failure to fulfill a system requirement, which may bring problems in a certification or surveillance audit.

    11. If you transfer a risk to a third party, how can you justify this in the Statement of Applicability for the associated controls?

    Answer: Please note that in the SoA you need to justify only if a control is applicable or not (e.g., by stating there is an unacceptable risk, legal requirement, or top management decision requiring the implementation of the control). There is no need to justify the treatment to be applied (in this case you do not need to justify why you transferred the risk to a third party instead to mitigate it yourself).
    For additional information see:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    12. What could be a good reason to not implement control A.14.1.1 / to accept the risks associated with control A.14.1.1?

    Answer: Justifications to be considered to not implement a control are:
    - There are no unacceptable risks or legal requirements demanding the control implementation.
    - Identified risks are acceptable under risk acceptance criteria
    - The costs required to implement the control are greater than the costs involved if the risk occurs
    For additional information see:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    13. Is it really obligatory to implement the Confidentiality Statement in the toolkit? The company implements an addendum in each contract, is this suitable?

    Answer: If this addendum your company uses can fulfill the requirements for ISO 27001, or can be adjusted to be compliant with the standard, then there is no need to implement the Confidentiality Statement that comes in the toolkit.

  • Developing documents for ISO 27001


    Answer:

    To develop such documents I suggest you to consult these materials:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
    - Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures/
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
    - How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-free-webinar/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 583-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +