Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Set up a new QMS


    Answer:
    First, I recommend training in the standard.
    Second, you should do a GAP analysis to determine what must be done.
    After the GAP analysis, I suggest preparing a Project Plan around the main activities with responsibilities and timings. Implement the system, perform an internal audit and the management review. Then select a certification body and agree with them dates for the first and second stage audits.

    You can find more information in the following links:
    - Article - Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
    - ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
    - Free online training - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Free ISO 9001:2015 Gap Analysis Tool - https://adviser a.com/9001academy/iso-9001-gap-analysis-tool/
    - Free online training - ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Monitoring, measuring, analyzing and evaluating


    Answer:
    When implementing a quality management system an organization determines a set of indicators or states needed to evaluate performance and make conclusions and decisions to act. Indicators or status about the quality objectives, about processes, about products and services, about customers and other interested parties’ satisfaction.

    For each indicator, to plan measurement, the organization should set performance targets, frequency of measurement and analysis, responsibilities and resources needed. For each status, to plan monitoring, the organization should define the possible status qualifications instead of targets, and frequency of monitoring and analysis, responsibilities and resources needed.

    According to the established frequency monitoring and/or measurement results should be determined, analyzed – compared to what was to be expected, compared to trend, compared t o what is the target performance - and evaluated if requirements are being met and to determine any needed actions and opportunities for improvement, as corrective actions, for example.

    The following material will provide you more information:
    - ISO 9001 - Analysis of measuring and monitoring requirements in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/analysis-of-measuring-and-monitoring-requirements-in-iso-90012015/
    - ISO 9001 - How to define Key Performance Indicators for a QMS based on ISO 9001 - https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
    - ISO 9001 – How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
    - Free webinar on demand – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
    - Free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Territorial scope of the GDPR


    Answer:

    The extraterritorial reach of the GDPR is one of the new features that contribute significantly to the increased level of protection of personal data. What does extraterritorial mean? Probably one of the most important changes, the GDPR enjoys extended applicability affecting entities not established in the EU. Of course, some conditions must be met for the extraterritoriality to be applicable. The EU GDPR applies to the processing of personal data of EU data subjects, regardless of whether the processing activities take place in the EU or not. The EU GDPR is also applicable to entities established outside the EU if they offer goods or ser vices to individuals in the Union, or if they monitor the behavior of individuals in the Union (i.e., profiling activities, tracking individuals’ activities on the internet, etc.).

    The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation’s laws.

    When the data of EU citizens is processed outside of the EU by companies which are also outside the EU, then this is not considered to be “in the Union”. For example, the EU GDPR will not be applicable for a school which is based in the United States just because there is a possibility that one or several of its students would be EU citizens. In this case, the processing does not take place “in the Union,” nor is the individual “in the Union”.

    One of the consequences of the extraterritorial reach is that companies not established in the EU must appoint a representative. That representative must be based in a Member State in which the relevant data subjects are based. Only a limited derogation is permitted where the processing is occasional, does not involve large-scale processing of sensitive personal data, and the purpose and result of the processing is unlikely to be a risk to individuals.

    If you want to find out more about the EU GDPR check out this free EU GDPR Foundation Course (https://advisera.com/training/eu-gdpr-foundations-course//).

  • 27001 training


    Answer:

    Without more detailed information about the training you are referring about, it is not possible to give you a proper answer regarding discrepancies. What we can tell you now is for you to verify if those are accredited courses. If they are, their content will be enough for you regardless of the price (so, you could go for the cheapest one).

    We'd like to offer you additional options to consider for ISO 27001 training and certification:
    - ISO 2 7001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
    - ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

  • Handling residual risks


    Answer:

    Residual risks refer to the risks that remain after you apply all treatments you consider worthy, and you should consider these alternatives to treat them:
    - If the risk level is below the acceptable level of risk, then you do nothing besides getting acceptance of the residual risk by top management
    - If the risk level is above the acceptable level of risk, then you need to find out some new (and better) ways to mitigate those risks
    - If the risk level is above the acceptable level of risk, and the costs of decreasing such risks would be higher than the impact itself, then you need to propose to the management to accept these high risks.

    This article will provide you further explanation about residual risks:
    - Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
    - 4 mitigation options in risk treatment acc ording to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

  • ISO 20000-1:2018 certification schedule


    Answer:
    No, you don't have problem certifying against 2011 revision of the standard.
    I would suggest to continue with certification according to 2011 revision ( I have such project as well) and next year "upgrade" to 2018 revision of the standard.

  • Template content - Policy for mobile devices and teleworking


    Answer:

    I'm assuming this question refers to the Mobile Device and Teleworking Policy template, section 4.

    Considering that, the "identifying of existing rules“ means that for smaller companies you do not need additional detailed plans or procedures, you can simply define phrases identifying the rules used by the organization directly in the policy. This way you have less documentation to worry about. Here is an example considering one of the items of this section (the text on brackets is the identification of the rule):

    - prevention of unauthorized access by persons living or working on the location where the telework ing activity is performed [by means of locking the door to the room where the activity is performed every time the employee is absent from the work place].

  • Template content - Teleworking

    Your Team wrote in the policy that „teleworking doesn't include the use of mobile phones outside the company“.
    Why did you exclude that? Cause you talked before (in the policy) about mobile devices plus their rules and you put mobile phones in that, let my call it „first“ category?

    Answer:

    First it is important to note that by not including mobile phones as part of Teleworking section does not mean it is forbidden to use them for this purpose, only that specific rules for teleworking do not apply to them. The reason for this is that teleworking mostly refers to secure physical locations and equipment that are not moved very often (e.g., network equipment), even if they are mobile devices (e.g., notebooks), because the place is the location where the employee works most of his time, and this is not the nature of mobile phones use. Additionally, we understand that rules defined on Mobile Computing section are sufficient to bring potential risks to acceptable levels.

  • Records and documents


    1. What does „record“ exactly mean? It my opinion in means that: Document that cannot be changed after creation (protocols, test reports, management evaluation). For example: the result of a management review does not change after 3 months.

    Answer: Record is a specific type of document with the purpose to evidence an achieved result or a performed activity. So your understanding is almost correct considering that a record cannot be changed after it is approved or accepted, because errors can occur when the record is created, and someone has to verify if all information is complete and correct before the record can be considered valid.

    2. Beside during the process of the certification you have „documents“. Documents in my understanding mean:
    A Document, which can be changed and from which different revision levels can exist (guideline, QM-manual, process instruction).
    Okay, by that let’s take the policy for mobile devices and telework. In your template in section 5 - records: you talk about the „permission for teleworking“. Is that permission by that the signed permission of the employee or the blank permission? In my understanding the „record“ only can be the signed permission, the solid document? Is that correct? If we know about that we can decide on which place the document is stored and under which conditions.

    Answer: Considering the previous answer, your understanding is correct, the record referred on section 5 is filled and singed permission, not the blank form.

    For further information about record management, please read:
    - Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
Page 589-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +