Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Templates content
Answer:
To mention references is not mandatory for ISO 27001, but this is considered as a good practice, because it makes easier to identify which requirements the document is fulfilling, which in turn makes easier the job of auditors to check the documents, and the job of document owner's to review and update them. -
Policy statement
Answer:
First is important to understand that these policies are different because they have very different audiences. ISO 27001 policy is to be used by top management, while ISO 9001 policy is for public display. We do not recommend to try to shorten the ISMS policy to a one page document because there is a risk of the document does not fulfill standard's requirements
You can develop a public display version of the ISMS policy to fulfill your needs, but this version has to have a disclaimer informing that it is not the full version of the ISMS polic y, where you can find the full version, and that this version does not deviate from the content from the full version.
Considering all this, to create a version of the ISMS policy statement in the same format as the Quality policy, as general guidance you should change the references from ISO 9001 to ISO 27001, because most of the requirements are the same. For example:
- in the first paragraph you should have something like this: "The basic orientation of [organization's name] [include here the objectives defined on section 4.1 of the ISMS policy]"
- in the bullet related to commitment you should have something like this: "Commitment to protect information from [processes/services described in the ISMS scope document]" -
The Statement of Acceptance of ISMS System Documents
Answer:
First is important to understand that this Statement:
- is necessary only if they have found risks or some other reason to use it
- is not necessary if you have some other way to prove that the documents were read by employees (e.g., through a document management system)
Considering that, the auditor's role is to verify if documents comply with the standard's requirements and if people's activities and process comply with what was documented, so the auditor will not require employees to sign this or that policy, but will check if they understand the policies, procedures and documents that are listed in the Statement of Acceptance of ISMS System Documents.
As for which documents to include in the statement, you have to include all documents from the toolkit you implemented.
This article may provide you further information:
- Which questions will the ISO 27001 certificatio n auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/ -
Different standard for sampling?
Answer:
ISO 13485 does not state any specific standard for sampling. It is the company’s responsibility to ensure compliance to relevant sampling standard according to local regulatory requirements. -
ISO 45001:2018 external communication
Answer:
Remember, the external communication is anything that you send to an outside organization about your OH&S activities. So, if you need to send anything to the municipalities that you work for this should be kept as a record. This could include such things as incident reports, back to work report, or anything else that is mandated for you to report on in your organization. If you need to send out information to anyone about the OH&S processes or performance, you need to keep a record of what you sent.
For a better understanding of the ISO 45001:2018 stan dard, see the whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001 -
AS9100 Rev D Requirement Clarifications
While AS9100 does not dictate how the QMS will be assessed and does not dictate how long customer production processes need to be functioning, it might b possible to assess if the processes are in place without this (although this is not easy nor preferable). It is also worth noting that AS9100 does not talk about KPIs either. In ISO 19011, the standard which gives guidance on how to audit ISO management systems, these guidelines identify three methods of collecting audit evidence; observation, interview, and review of records. So, it could be possible to verify through interviews and observation that the processes are in place and functioning even if the records do not exist because no customer production has taken place.
I am not suggesting this is preferable, nor will it be easily done, but it could be possible. As for certification auditors, I also do not know what their opinion would be on auditing a system that is not currently in use to meet customer requirements, so you would have to ask your certification body directly. The question I would ask is why are you maintaining a QMS that you are not using? If the company does not produce products for aerospace, then why are you certifying to AS9100?
You can read more on how ISO 19011 works in the article:
- How to perform an internal audit using ISO 19011 https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011
-
Quality and the GRC
Answer:
Quality is also about Compliance, but it is more than that. Normally, at SME Quality must ensure that regulation and industry requirements are ensured. So, Quality could sit under the GRC.
The following material will provide you more information:
- ISO 9001 – What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/
- Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Cómo gestionar la documentación
Respuesta:
Efectivamente debería de cambiar la versión del documento cada vez que hace una revisión o modificación del mismo. No obstante, la organización puede decidir cómo llevar a cabo la codificación o el control que realice sobre la información documentada (procedimientos, registros y otros documentos).
Le aconsejo la creación de un procedimiento para que el control de esa información documentada se lleve a cabo de manera sistemática. Aquí puede descargar una vista previa de un procedimiento - Procedimiento para el control de documentos y registros: https://advisera.com/9001academy/es/documentation/procedimiento-para-control-de-documentos-y-registros/
Para más información puede ver estos materiales:
- Artículo – New approach to document and record contr ol in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Libro – Gestión de documentación ISO: una guía en un lenguaje sencillo: https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/
- Curso gratuito en línea – Fundamentos de ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Templates identification
Answer:
First of all, we want to apologize for this confusion.
Acceptable Use Policy is an old name for the IT Security Policy, they are exactly the same document. This difference is a mistake in our website and we will correct this immediately.
If your organization is more comfortable to use one name over the other there is no problem to change the document name, you only have to take care to propagate this change to all documents which currently refer to this document. -
Auditing subcontractors?
Answer:
ISO 9001:2015 does not mandate audits on subcontractors. It is up to each organization to decide what kind of control is needed. Be sure to evaluate your subcontractors periodically based on the results of your checks and other information considered relevant by your organization.
The following material will provide you information about evaluating suppliers:
- ISO 9001 – How to evaluate supplier performance according to ISO 9001:2015: https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
- Free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - ISO Internal Audit: A Plain English Guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/