Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
The Statement of Acceptance of ISMS System Documents
Answer:
First is important to understand that this Statement:
- is necessary only if they have found risks or some other reason to use it
- is not necessary if you have some other way to prove that the documents were read by employees (e.g., through a document management system)
Considering that, the auditor's role is to verify if documents comply with the standard's requirements and if people's activities and process comply with what was documented, so the auditor will not require employees to sign this or that policy, but will check if they understand the policies, procedures and documents that are listed in the Statement of Acceptance of ISMS System Documents.
As for which documents to include in the statement, you have to include all documents from the toolkit you implemented.
This article may provide you further information:
- Which questions will the ISO 27001 certificatio n auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/ -
Different standard for sampling?
Answer:
ISO 13485 does not state any specific standard for sampling. It is the company’s responsibility to ensure compliance to relevant sampling standard according to local regulatory requirements. -
ISO 45001:2018 external communication
Answer:
Remember, the external communication is anything that you send to an outside organization about your OH&S activities. So, if you need to send anything to the municipalities that you work for this should be kept as a record. This could include such things as incident reports, back to work report, or anything else that is mandated for you to report on in your organization. If you need to send out information to anyone about the OH&S processes or performance, you need to keep a record of what you sent.
For a better understanding of the ISO 45001:2018 stan dard, see the whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001 -
AS9100 Rev D Requirement Clarifications
While AS9100 does not dictate how the QMS will be assessed and does not dictate how long customer production processes need to be functioning, it might b possible to assess if the processes are in place without this (although this is not easy nor preferable). It is also worth noting that AS9100 does not talk about KPIs either. In ISO 19011, the standard which gives guidance on how to audit ISO management systems, these guidelines identify three methods of collecting audit evidence; observation, interview, and review of records. So, it could be possible to verify through interviews and observation that the processes are in place and functioning even if the records do not exist because no customer production has taken place.
I am not suggesting this is preferable, nor will it be easily done, but it could be possible. As for certification auditors, I also do not know what their opinion would be on auditing a system that is not currently in use to meet customer requirements, so you would have to ask your certification body directly. The question I would ask is why are you maintaining a QMS that you are not using? If the company does not produce products for aerospace, then why are you certifying to AS9100?
You can read more on how ISO 19011 works in the article:
- How to perform an internal audit using ISO 19011 https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011
-
Quality and the GRC
Answer:
Quality is also about Compliance, but it is more than that. Normally, at SME Quality must ensure that regulation and industry requirements are ensured. So, Quality could sit under the GRC.
The following material will provide you more information:
- ISO 9001 – What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/
- Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Cómo gestionar la documentación
Respuesta:
Efectivamente debería de cambiar la versión del documento cada vez que hace una revisión o modificación del mismo. No obstante, la organización puede decidir cómo llevar a cabo la codificación o el control que realice sobre la información documentada (procedimientos, registros y otros documentos).
Le aconsejo la creación de un procedimiento para que el control de esa información documentada se lleve a cabo de manera sistemática. Aquí puede descargar una vista previa de un procedimiento - Procedimiento para el control de documentos y registros: https://advisera.com/9001academy/es/documentation/procedimiento-para-control-de-documentos-y-registros/
Para más información puede ver estos materiales:
- Artículo – New approach to document and record contr ol in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Libro – Gestión de documentación ISO: una guía en un lenguaje sencillo: https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/
- Curso gratuito en línea – Fundamentos de ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Templates identification
Answer:
First of all, we want to apologize for this confusion.
Acceptable Use Policy is an old name for the IT Security Policy, they are exactly the same document. This difference is a mistake in our website and we will correct this immediately.
If your organization is more comfortable to use one name over the other there is no problem to change the document name, you only have to take care to propagate this change to all documents which currently refer to this document. -
Auditing subcontractors?
Answer:
ISO 9001:2015 does not mandate audits on subcontractors. It is up to each organization to decide what kind of control is needed. Be sure to evaluate your subcontractors periodically based on the results of your checks and other information considered relevant by your organization.
The following material will provide you information about evaluating suppliers:
- ISO 9001 – How to evaluate supplier performance according to ISO 9001:2015: https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
- Free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - ISO Internal Audit: A Plain English Guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Audit scope
We've received additional question:
>Just to mention the team is not part of the scope as reply to the answer .
Answer: In this case the auditor has no previous authorization to audit this provider. He must justify his intention and the organization can decide to authorize or not the audit at its own discretion, but his most probable action is to check how you are managing the relationship with this service provider, i.e., how you can assure that this service provider is fulfilling your security requirements.
This article can provide you further information:
- How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/ -
Need for AS9100 Rev D
Answer:
As with any management system standard the requirement to implement AS9100 Rev D comes down to your customer requirements. If your customer does not require that you implement AS9100, even if you are an aerospace company, then the choice is up to you if you implement this standard. I do not know of a percentage of businesses that this would apply to as you have suggested, but in reality, everything comes down to the requirements of the customer, and baring that the desire of the company to use this standard to their benefit.
For more information on the benefits of AS9100 Rev D, see this article: 7 Key benefits of AS9100 implementation, https://advisera.com/9100academy/knowledgebase/7-key-benefits-of-as9100-implementation/