Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Quality control versus quality assurance
Answer:
Quality Control results allow verification of Quality Assurance effectiveness. Independently of your operation size, your company should plan the required Quality Control since raw materials reception, production and final product. What to control, by whom, with what frequency, with what specifications, and with which monitoring resources. Required means required by your company’s experience; or by clients; or by standards; or by regulation; or by competition performance.
Quality Assurance and Quality control are interrelated. Quality Assurance is about how a process is performed or how a product is made, Quality Control is about the inspection aspect.
The following material will provide you information about quality control and measurement:
- ISO 9001 – How to use quality control tools to improve your QMS - https://advisera.com/9001academy/blog/ 2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/
- Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Roles and competencies
Answer: ISO 27001 does not prescribe who must be responsible for internal audit, so considering the size of the organization, the CEO can be the owner of internal audit process.
2. Can intern perform internal audit in that case who will become owner of internal audit?
Answer: The main criteria to perform internal audit is competence, which can be evidenced by means of knowledge (e.g., certificates), education (e.g., training) or experience (e.g., records of previous performed audits), and impartiality (an auditor cannot audit his own work). If you can demonstrate that the intern has the necessary competence, and he does not audit his own work, he can perform internal audit. Regarding the ownership of the internal audit audit process, in this case, considering the person is an intern, you should consider a full time employee to be the owner (including the CEO as stated in the first answer).
These articles will provide you further exp lanation about roles and responsibilities and internal audit:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/ -
Template content
Answer:
Your understanding is correct. The "deadline"column refers to the date by which your organization will have to be compliant with the identified requirement (in your example, the date by which your organization will have to be compliant with requirements related to GDPR). -
Supporting ISO 27001 certification
Answer:
To support an ISO 27001 implementation you should consider these certifications:
- ISO 27001 Lead Implementer – this certification recognizes people who have competency on the ISO 27001 implementation process.
- ISO 27001 Internal Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements, thus providing more confidence to an organization for being certified.
- ISO 27001 Lead Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements, and want to become certification auditors (work for certification bodies)
For ISO 27001 there is no such role as "implementer auditor".
So, considering your customer needs, you should consider the ISO 27001 Lead Implementer course, which will provide you more information about the whole implementation process.
These articles will provide you further explanation about ISO 27001 personnel certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
For courses related to these certifications, please see:
- ISO 27001:2013 LEAD IMPLEMENTER COURSE https://advisera.com/training/iso-27001-lead-implementer-course/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/ -
File Format for ISO 45001
Answer:
The ISO 45001:2018 requirements do not dictate how you will file documentation; this is something that you decide for yourself to best meet the needs of your company. You are not required to match your documentation formatting or numbering to match the standard, and there is nothing saying how you will identify or format your filing system. You do not even need to change from what you are doing already. The important thing is to make sure that you file everything that is needed in a manner that is best for your company to use and improve. The OHSMS is there for your company to benefit from, so organize it in the manner that is best for you.
For a better understanding of the transition process, see the whitepaper: Twelve-step transition process from OHSAS 18001 to ISO 45001, https://info.advisera.com/45001academy/free-download/twelve-step-transition-process-from-ohsas-18001-to-iso-45001 -
ISO 45001: SWOT for risks and opportunities
Answer:
A sample SWOT analysis is difficult because this tool is very specific to the organization. The strengths, weaknesses, opportunities and threats change form company to company and industry to industry. Even the format of this tool is not common since it can be a table, or even just a listing for the 4 sections. It is also important to remember that the ISO 45001 standard does not require a SWOT analysis, just an assessment of risks and opportunities. This is only one tool to identify the risks and opportunities for your OHSMS.
So, while you need to decide the information for each section of the analysis for your organization, some examples could include:
Strengths: You have a highly engaged workforce focused on OH&S
Weaknesses: You have a lot of accidents/incidents which you need to work to preventing.
Opportunities: You have a supplier that has developed a new chemical which is less hazardou s, and could be used in your process.
Threats: A supplier is discontinuing a chemical you need, and the easy replacement is more hazardous.
For more on the requirements for risks and opportunities, see this blog post: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/ -
Validating product spec
Answer:
If an organization publishes a performance spec for a product it must validate its ability to comply with it. Check ISO 9001:2015 clauses 8.3.3, 8.3.5 and 8.6.
The following material will provide you with information about a performance spec for a product:
- The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- ISO9001 Design Verification vs Design Validation - https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Internal Audit
Answer:
Yes, this terminology has to match. For more about internal audit please read article:
Five Main Steps in an IATF 16949:2016 Internal Audit
https://advisera.com/16949academy/knowledgebase/five-main-steps-in-an-iatf-169492016-internal-audit/
If you want to know more about how to make an internal audit checklist for IATF 16949, take a look at this article:
How to make an Internal Audit checklist for IATF 16949:2016
https://advisera.com/16949academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iatf-16949/ -
Assets of IaaS
Answer:
In situations where you cannot change service conditions presented by the provider you should evaluate if your organization can accept the risks not properly covered by the provided service agreement,and if there are alternative providers you can consider. -
Risk assessment and BIA
1. Which one would I do first and why? Answer: Actually, there is no definitive order to perform risk assessment and business impact analysis, and the choice for one or another will depend on your expectations: - By doing BIA first you will have a prioritized list of processes and services that can impact the most of your business in case of disruptive incidents, then you can go to assess the most relevant risks for the most critical processes and services. - By doing risk assessment first you will have a prioritized list of risks your organization is most exposed to, i.e. the most potential disruptive incidents, then you can go to assess the impact on business regarding the processes and services affected by those risks. Particularly, we prefer to do risk assessment first because this way, you will have a better impression of which incidents can happen (which risks you’re exposed to), and therefore be better prepared for doing the busine ss impact analysis (which focuses on consequences of those incidents). This article will provide you further explanation about BIA and risk assessment: - Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/ 2. Do I include the BIA risks in my risk register and if yes then do I reference the BC plans for the treatment plan? As an example, would a fire be raised as a risk in the risk register as well as in the the BC plans? Answer: If the risks used to support the BIA process are related to information you want to protect with your ISMS (i.e., risks that impacts information), then you need to include them in the risk register for ISO 27001. These article will provide you further explanation about risk treatment and SoA: - Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ - How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/