Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Avoiding nonconformities


    Answer:
    The best way to avoid nonconformities is performing demanding internal audits and preparing auditees to be open and cooperative during those internal audits. Give them training and make them partners in improving the quality management system.
    Remember having minor nonconformities in the certification audit is not an obstacle to getting certification.

    The following material will provide you information about internal audits:
    - ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
    - ISO 9001 – How to prepare for an internal audit - https://advisera.com/9001academy/blog/2017/09/26/iso-9001-how-to-prepare-for-an-internal-audit/
    - 13 Steps for ISO 9001 Internal Auditing using ISO 19011 - https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
    - Free webinar – How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
    - book – Preparing for ISO Certification Audit: A Plain English Guide - https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

  • Lean thinking/ISO 9001/2015 integration


    Answer:

    Lean thinking in combination with ISO 9001 can help organizations to improve their processes within the quality management system by identifying and removing waste from the processes. The most used tools and principles among companies are value stream mapping, 5S, lean metrics, and takt time

    Their integration can provide an better value for organization and your customer, but also a good return on your investment.

    To learn more about ISO 9001 and Lean thinking you can see:
    - Article: ISO 9001 vs. Lean: How they compare and how they are differenthttps://advisera.com/9001academy/blog/2014/07/22/iso-9001-vs-lean-compare-different-2/
    - Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/

  • Toolkit content


    1. Confidentiality level mandatory on each document?

    Answer: The label displaying confidentiality level is mandatory only if control A.8.2.2 Labeling of information is applicable to your ISMS, because of results of risk assessment, legal requirements, or top management decision.

    This article will provide you further explanation about selection of controls:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    2. Confidentiality Statement for Employees: [name of contract on the basis of which the person will have access to confidential information], is this the employment contract?

    Answer: This information can be in the employment contract for regular employees, but also can be on a service agreement for temporary employees. This situation must be considered on a case by c ase basis.

    This article will provide you further explanation about terms and conditions of employment:
    - What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

    3. Do I also have to list the records and / or appendices in the 'Statement of Acceptance of ISMS Documents' ?

    Answer: You have to make reference to all documents you want the person to state acknowledge to. For example, if the Backup policy is not referred on the 'Statement of Acceptance of ISMS Documents' the person cannot be held responsible for not complying with it.

    < 4. Control A.11.2.1 Equipment siting and protection: I assume this does not include the work laptops of the employees, this only includes network and system architecture, right?

    Answer: This control includes all equipment included in the ISMS scope, even work laptops of the employees. The mobile nature of laptops may also require additional controls related to security off-premises, but protection on premises is mostly accomplished by control A.11.2.1.

    These articles will provide you further explanation about physical protection:
    - How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/
    - How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/

    5. List of legal, regulatory, statutory and contractual requirements:
    a) Do we have to document all the employment contracts, NDAs, SLAs, etc...?

    Answer: Contracts normally have clauses establishing rights and duties regarding information security, and in these cases they must be documented.

    b) Also, to be ISO 27001 certified, we don't have to be compliant with GDPR as an example right?

    Answer: If you have to comply with some law or regulation that defines information security requirements related to your ISMS scope, then you need to be compliant with them to become ISO 27001 certified. For example if your ISMS scope handles EU citizens personal data, then you have to be compliant with EU GDPR Article 32.

    This article will provide you further explanation about ISO 27001 and EU GDPR:
    - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

  • Exclusions from the ISMS scope


    How can I do it? Should I define this in the scope document as an exclusion or maybe I should not mention it at all (I mean that I will only mention a department which works with the serviceA in the „Organizational Units“ section)? I understand that I will have to assess the risks that the serviceB may cause and I will mitigate them with some policy (Acceptable Use, Access Control) and also some technical controls.

    Also a similar situation could be like this: a department consists of 10 employe es. Only two of them work with the serviceA (which is in scope). Can I include only those two? And how to do that? What exactly should be defined in the „Exlusions from the scope“ section of the ISMS Scope Document? Is it something that we cannot control but it affects the security? What I want to emphasize by asking this is why should we define exclusions – maybe we do not need to exclude anything since it is not included in the scope?

    Answer:

    You should only use the "Exclusions from the scope" section to explicitly define elements that are inside your statement of scope but you do not want the ISMS to handle them. If you can make this separation when defining the scope, there is no need to define exclusions.

    A good example is your department scenario. You can define only the two roles that have access service A as part of the ISMS scope (in this case there are no exclusions), or you can define your department as a whole inside the ISMS scope and include the roles that do not need access service A as "Exclusions from the scope".
    Considering your other scenario, if service B is completely unrelated to, or can be easily separated from, service A, there is no need to mention service B as "Exclusion from the scope". On the other hand, if service B is part of service A, then you should include service B on "Exclusions from the scope" so your ISMS does not need to manage it.

    On both cases, to keep the document as simple as possible we suggest you to make the necessary separation when defining the scope.

    It is important to note that exclusions may mean an extra cost and effort to keep the separation from the elements in the scope, and in some cases it may be better to include all elements in the ISMS scope.
    These articles will provide you further explanation about scope definition:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  • Different standards for different facilities


    Answer:
    Your dilemma is not uncommon when there is a split of functions between facilities. The final decision will come down to the customer requirements placed on you; if they are only for manufacturing the this is acceptable, but not if the customers are expecting engineering to fall under the same aerospace requirements. If your customers are not requiring AS9100, then the decision of how you apply the standards becomes more up to you since you will have different scopes and then treat the other facilities as suppliers into your processes.
    The difficulty comes in your scope definition. Many of the additional requirements in AS9100 Rev D are manufacturing and product related, but not all (for instance, some are design and purchasing relat ed). You will need to justify why these non-manufacturing requirements are being excluded form your AS9100 scope when they are actually done for your company, especially if some of the design verification occurs in your manufacturing facility (such as building prototypes).
    One final thing to consider is the difficulty in performing common processes (such as internal audit and management review) if you have different scopes in different facilities. You will likely end up duplicating these processes which can end up costing you more than the separate scopes save. Unless the facilities function completely separately from each other, having different scopes can be difficult and time consuming. I would often recommend against it.

    For a better understanding of the AS9100 Rev D requirements, in particular those different from ISO 9001, see the whitepaper: Clause-by-clause explanation of AS9100 Rev D, https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d

  • Certificación en ISO 14001

    2. ¿Cada cuanto se debe Renovar?
    3. ¿Quien Certifica en Norma ISO 14001?

    Respuestas:

    1. El coste de certificación va a variar dependiendo del país en que se encuentre. Le recomiendo que se ponga en contacto con varias entidades de certificación independientes que le pedirán una serie de datos para la elaboración del presupuesto.

    Para más información sobre los costes de la implementación y la certificación de la norma ISO 14001 puede leer este artículo (en inglés) - How much does ISO 14001 implementation cost?: https://advisera.com/14001academy/blog/2017/01/23/how-much-does-iso-14001-implementation-cost/

    2. La certificación normalmente se realiza cada 3 años. Aunque existen las llamadas auditorías de control que verifican el mantenimiento del sistema de gestión ambiental cada año y que incluyen únicamente partes del sistema.

    Para saber más cómo es el proceso de certificación, puede ver este artículo (en inglés) - ISO 14001 certification: https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-certification/

    3. La certificación de la Norma ISO 14001 se lleva a cabo por parte de una entidad certificadora independiente, que verifica que efectivamente la empresa, producto o servicio cumple con los requisitos de la norma. Le recomiendo que lea este artículo (en inglés) que le permite elegir a la mejor entidad certificadora - How to choose a certification body for ISO 14001: https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

    Estos materiales también pueden ser de utilidad para saber más sobre el proceso de certificación de la norma ISO 14001:
    - Curso gratuito en línea - Fundamentos ISO 14001:2015: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/
    - Libro - The ISO 14001: 2015 companion (en inglés): https://advisera.com/books/the-iso-14001-2015-companion/
    - Libro - Preparacion para la auditoría de certificación ISO: una guía en un lenguaje sencillo: https://advisera.com/books/preparacion-para-la-auditoria-de-certificacion-iso-una-guia-en-un-lenguaje-sencillo/

  • Naming procedures in ISO 14001


    Answer:

    It is not relevant how your company name your documents as long as you comply with ISO 14001:2015 requirements, in this case with the requirements of clause 9.1. of the standard.

    For more information about Monitoring, measurement, analysis and evaluation for ISO 14001:2015, see the following materials:
    - Article - How to measure the effectiveness of your EMS according to ISO 14001:2015: https://advisera.com/14001academy/blog/2016/09/05/how-to-measure-the-effectiveness-of-your-ems-according-to-iso140012015/
    - Book – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/ 4001-2015-companion/
    - Free on-line training – ISO 14001:2015 Foundations: https://advisera.com/training/iso-14001-internal-auditor-course/

  • Auditing company manufacturing wood and plastic products


    Answer:
    In my answer, I will just focus on what is specific of that manufacturing company: wood and plastic products.
    I would consider the life cycle of those materials. Does the wood come from certified forests? Does the wood include recycled wood? Does recycled wood come from operators with a permit? Does the organization buy recycled plastic? Does recycled plastic come from operators with a permit? Does the organization reuse plastic and wood?

    The same exercise can be made based on the environmental assessment of aspects and impacts and risks and opportunities, and on the legislation and regulation applicable.

    The following material will provide you information about the assessment of environmental interactions and internal audits:
    ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/ nowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
    How to make an ISO 14001 internal audit checklist - https://advisera.com/14001academy/blog/2016/06/27/how-to-make-an-iso-14001-internal-audit-checklist/
    Free online training ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    Book - THE ISO 14001:2015 COMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • EU GDPR and volunteers


    Answer: Each of the EU branches of your organisation should have in place a Controller to Controller Data Transfer Agreement with the US Headquarter (document 7.1 in the EU GDPR Documentation Toolkit).

    2. What forms do our volunteers need to sign so we can transfer the data to them? I'm not finding something applicable in the templates we purchased. It would be a cross-border transfer to one of o ur volunteer members but we do not have a commercial agreement with our volunteers. Sometimes at events, our volunteers would be data controllers on behalf of the organization as well but I am specifically asking about data transfer from our headquarters to our volunteer leaders in the EU region, and our volunteers would contact the members directly on behalf of the organization.

    Answer: The volunteers would act as your processor and should be treated as such. You would need to have a DPA in place (document 8.1 of the EU GDPR Documentation Toolkit) .

  • Applying ISO 14001


    Answer:
    Honestly, I see no difficulty for a health and environmental officer to apply ISO 14001 in his work area. Perhaps training in ISO 14001 foundations could be useful to learn the basics of the standard. After that, ISO 14001 is very project oriented and focused on improving or maintaining an organization’s interaction with the environment.

    The following material will provide you information about the assessment of environmental interactions and ISO 14001:2015:
    ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
    List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
    Free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    Book - THE ISO 14001:2015 C OMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/
Page 598-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +