Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Certifying a specific department within an organization
Answer:
Yes, it is. As long as that department specifies to what interested parties are working and what are their relevant requirements. There is no problem. In my country, several hospitals started their involvement with quality management systems by certifying individual services.
The following material will provide you more information about ISO 9001 and interested parties:
- How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- Understanding needs & expectations of interested parties in ISO 9001:2015 - https://advisera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
- Fre e online training ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 9001 for NGOs
Or if there is specific ISO for non-governmental organization that works in the humanitarian sector specifically?”
Answer:
Yes, ISO 9001 can and is applied in non-governmental organizations. For example, in my country several non-profit organizations that provide services to senior citizens are certified. With this kind of organizations, the focus is on the network of interested parties.
The following material will provide you more information about ISO 9001 for nonprofits:
- How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- Understanding needs & expectations of interested parties in ISO 9001:2015 - https://advi sera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
- free online training ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Major and minor nonconformities
Answer:
Minor nonconformity - a nonconformity that does not affect the capability of the management system to achieve the intended results.
Major nonconformity - a nonconformity that affects the capability of the management system to achieve the intended results. For example, if the company completely failed to fulfill a certain requirement; if a process has completely fallen apart; or if you have several minor nonconformities that are related to the same process or to the same element of your management system.
The following material will provide you information about audits:
- Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- Free online training ISO 9001:2015 Internal Auditor Course - https://training.advisera .com/course/iso-9001-internal-auditor-course/
- Book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Toolkit content
Answer:
First of all, sorry for this confusion. In fact you do not have to perform internal audits for ISO 22301/BS 25999-2 if you want to be compliant with ISO 27001 only.
The "Annual Internal Audit Program" template was designed to be compliant with both ISO 27001 and ISO 223001/BS 25999-2 (these standards have the same requirements regarding internal audit), so the text on the template covers all these standards, but in the comments included in the template we show which text you can exclude in case you are using the template for only one of these standards.
This article will provide you further explanation about ISO 27001 internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
These materials will also help you regarding ISO 27001 internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 27001 lead implementer and audit responsibility
Answer: ISO does not issue certificates, only standards. Those who issue certificates to persons are accredited training providers. At the end of an ISO 27001 Lead Implementer course you can take an exam, and if approved, you will receive a certificate of Lead Implementer.
This article will provide you further explanation about the lead implementer course:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
This material will also help you regarding to become a Lead Implementer:
- ISO 27001:2013 LEAD IMPLEMENTER COURSE https://advisera.com/training/iso-27001-lead-implementer-course/
2. Internal audit is responsibility of the security team or other departments?
Answer: ISO 27001 does not prescribe who has to be responsible for the internal audit, so you can define this responsibility according your needs, provid ed that you can evidence the auditors have the proper competence and they have no conflict of interest (i.e., auditor must not audit their own work).
This article will provide further information about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
This material will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/ -
Lead auditor certification
Answer:
Here is the Lead Auditor course from Advisera: https://advisera.com/training/iso-27001-lead-auditor-course/
These articles will provide you further explanation about becoming lead auditor:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
Controls in ISO 9001
Response:
Depending on the context of the organization, the company will need to define and document specific controls. Also you need to look at the risks related to your products, processes and resources to determine the required controls. Those controls include engineering controls procedures (e.g. procedure for control of non-conforming product), work instructions, plans, etc. You can decide to implement them following a particular hierarchy (e.g. elimination) and also you can consider to use some controls in combination.
You can also see these materials to help you with controls in ISO 9001:2015:
- Article - How to control outsourced proccesses using ISO 9001: https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
- Article - How to identify risk controls i n ISO 9001:2015: https://advisera.com/9001academy/blog/2019/01/21/how-to-identify-risk-controls-in-iso-90012015/
- Article - What does external documents control mean in ISO 9001: https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Formulating a quality policy
Answer:
I like to link quality policy and strategic orientations. So, I start a conversation with top management about how to answer questions such as:
How does your organization win its most desirable clients? What do they value the most? Are there relevant interested parties that help you win businesses? What do they value the most? The answers help realize if the business is mostly about cost, or service or innovation/creativity.
Then, when I work with the top management to write the quality policy I follow this recipe:
First write: Who we are and what is our business (for example, our business is not what we manufacture but the results that our customers get);
Then write: To whom do we work.
In what kind of challenges do we need to be the best.
And include the two commitments of the standard (continual improvement and meeting customer and regulatory requirements)
For example:
” Company name” is an industrial company specialized in comfort footwear.
We serve customers who need a supply of comfort footwear for professional uses.
In order to better serve our customers, we believe that we must seek to continuously improve:
Our ability to develop, to be able to respond quickly to requests for samples;
A language of product that differentiates us and supports the promise of comfort;
The ace card of being a manufacturer and being able to be faster and more flexible in production;
The fulfillment of our commitments…"
This way the quality policy identifies clearly to whom do we work and sets the stage for the definition of quality objectives aligned with a strategic orientation.
The following material will provide you information about the quality policy:
ISO 9001 – How to Write a Good Quality Policy - https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
Free online training ISO 9001:2015 Internal Auditor Course- https://advisera.com/training/iso-9001-internal-auditor-course/
Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Audit program versus audit plan
Answer:
Consider the following image:
The audit program lists all the audits that an organization intend to execute within a certain time frame.
Normally, an audit program includes scope for each audit, month or week when the audit should be done, and audit team composition and who is the lead auditor. The audit program is made by the audit manager or management system manager, the audit program is better to be approved by top management to give authority to internal auditors.
For each audit included in the audit program, the lead auditor is responsible for preparing and approving an audit plan that is sent to auditees, sometime before an audit, to communicate audit date, audit objective, auditors, and audit schedule. An audit plan allows auditees and auditors to agree on date and schedule.
The following material will provide you information with more information about the audit program and audit plan:
- ISO 14001 – Creating an ISO 14001 internal audit plan - https://advisera.com/14001academy/blog/2017/01/16/creating-an-iso-14001-internal-audit-plan/
- ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
BYOD policy content
Answer:
First of all, you have to perform a risk assessment to identify which risks related to BYOD practice you have to treat, and which legal requirements (e.g. clauses of contracts, laws or regulations) you have to fulfill. After that you have to identify proper controls to be implemented. In general, to secure BYOD practices you have to consider the following controls:
- A.6.2.1 Mobile device policy
- A.6.2.2 Teleworking
- A.13.2.1 Information transfer policies and procedures
- A.13.2.3 Electronic messaging
Normally these are implemented through a BYOD policy, which you can see how it looks like at this link: https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/
This article will provide you further explanation about BYOD policy:
- How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/