Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11278 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Auditor competency
First, it is your organization that has the authority to establish competency requirements for internal auditors. Second, your organization should, as a good practice, update those requirements. Normally, updating includes knowing ISO 9001:2015 and knowing good auditing practices, perhaps considering an update for ISO 19011:2018. So, if you updated your ISO 9001 training to the 2015 version and you answer to all internal requirements for internal auditors there would be no problem.
The following material will provide you with information about internal audits:
- ISO 9001 – Five Main Steps in ISO 9001 Internal Audit
https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- free online training ISO 9001:2015 Internal Auditor Course
– https://advisera.com/training/iso-9001-internal-auditor-course//
- book - ISO Internal Audit: A Plain English Guide
https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Experiencia en SGC y formación
Respuesta:
Gracias por su pregunta. Experiencia previa en calidad se refiere a la experiencia propiamente dicha, ya sea por ejemplo como consultora, realizando auditorías internas o implementando la norma o como personal dentro del departamento de calidad de una empresa en la que se hace la implementación y el seguimiento de la norma ISO 9001 o incluso la auditoría interna, entre otros.
Para poder tener experiencia obviamente el primer paso es tener conocimientos para lo que es más que recomendable realizar algún curso y si se quieren demostrar esos conocimientos contar con algún tipo de certificado.
Nosotros en Advisera contamos con varios cursos online a los que puedes asistir de manera gratuita y que muestro a continuación:
- Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- ISO 9001 Lead Implementer Course: https://advisera.com/training/iso-9001-lead-implementer-course/
- Curso de auditor interno de ISO 9001:2015: https://advisera.com/es/formacion/curso-auditor-interno-iso-9001/ -
Cómo demostrar que cumples con 7.1 - Recursos
Respuesta:
El auditor verificará que los recursos de la organización, que son tratados a lo largo de esta cláusula 7.1, incluyen el personal pertinente para poder llevar a cabo un efectivo funcionamiento del sistema de gestión de calidad, la infraestructura necesaria para el eficiente funcionamiento de los diferentes procesos, así como otro tipo de recursos como los necesarios para que exista el ambiente prop icio para la ejecución de los procesos, los recursos para llevar a cabo el seguimiento y medición del sistema, etc.
Para poder demostrarlo, entre otros, la organización puede añadir en las especificaciones de cada uno de los procesos los recursos que va a emplear, tanto humanos, como materiales, económicos, de infraestructura, etc. Por otro lado, vamos a necesitar tener en cuenta los recursos que inicialmente existen dentro de la organización para poder determinar aquellos que debemos obtener de proveedores externos.
Para más información sobre los requisitos de esta cláusula 7.1, puede consultar los siguientes materiales:
- Informe - Clause by clause explanation of ISO 9001:2015: https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015
- Libro - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- Curso gratuito en línea - Fundamentos de ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Certification for services
Answer:
ISO 27001 cannot be used to certify products and services, but to certify the processes that support them (e.g. e-mail administration and operation processes).
After getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, the steps for ISO 27001 implementation you should consider are:
1) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
2) development of risk assessment and treatment methodology;
3) perform risk assessment and define the risk treatment plan;
4) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
5) people training and awareness;
6) controls operation;
7) performance monitoring and measurement;
8) perform internal audit;
9) perform management critical review; and
10) address nonconformities, corrective actions and opport unities for improvement.
During this process you can select and hire the certification body to perform the certification audit.
These articles will provide you further explanation about ISMS implementation and certification:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/ -
Estructura de la documentación
Respuesta:
Si se refiere a la estructura definida de los distintos tipos de documentos del Sistema de Gestión de Calidad por el estándar internacional ISO 10013:2001 se trata únicamente de una recomendación y no coincidiría con algunos de los documentos actualmente obligatorios por la norma ISO 9001:2015.
En concreto el estándar ISO 10013:2001 contiene las siguientes recomendaciones en cuanto al contenido y estructura de ISO 9001:
1) Manual de calidad. Actualmente este documento no es obligatorio en ISO 9001:2015 aunque puede ser mantenido por la organización
2) Política de Calidad. Sigue siendo un documento obligatorio en ISO 9001:2015
3) Procedimientos de calidad. Los procedimientos ya no se tratan de información documentada obligatoria aunque la organización puede definir su necesidad e implantarlos en sus procesos.
4) Instrucciones técnicas. Es la organización la que decide qué instrucciones técnicas podrían ser necesarias para la implementación del estándar.
5) Registros. Puede revisar en este artículo la lista de registros y otra información documentada obligatoria en ISO 9001:2015 - Lista de documentos obligatorios requeridos por la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
Estos materiales pueden ayudarle con la estructura de la documentación en ISO 9001:2015:
- Artículo - Cómo estructurar la documentación del sistema de gestión de calidad: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-estructurar-la-documentacion-del-sistema-de-gestion-de-calidad/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea – Fundamentos de ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Kick off ISO 9001 Project
Answer:
You should perform a GAP analysis to check your level of compliance with the standard. You can access this free GAP analysis tool: https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
Also, you must learn each clause of the standard so you can have a better idea of which requirements your organization needs to fulfill. You can check this whitepaper for that purpose - Clause by clause explanation of ISO 9001:2015: https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015
Once you know which requirements you need to comply with then you can start writing a Project Plan where you assign responsibilities within the company related to the implementation of ISO 9001:2015, define the documented information to be written and determine milestones along the project. Although this is not a mandatory requirement can help you to organize your implementation of the standard. You can download this free document - Project Plan for ISO 9001 implementation: https://info.advisera.com/9001academy/free-download/project-plan-for-iso-9001-implementation-ms-word
After you can start the different steps of ISO 9001:2015 the implementation, from defining the quality policy and objectives, the context of the organization and the scope... until the internal audit and management review.
Regarding the documentation, you can download a free preview of this toolkit to comply with the necessary requirements - ISO 9001 documentation toolkit: https://advisera.com/9001academy/iso-9001-documentation-toolkit/
You can see these materials to help you to begin with the implementation process:
- Article – Checlist of ISO 9001 implementation and certification steps: https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- Checklist - Project checklist for ISO 9001:2015 implementation: https://info.advisera.com/9001academy/free-download/project-checklist-for-iso-9001-2015-implementation
- Book – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- Free on-line training – ISO 14001:2015 Foundations: https://advisera.com/training/iso-14001-internal-auditor-course/ -
Adoption of ISO 27031
Answer:
ISO 27031 is a supporting standard to help implement controls from ISO 27001 Annex A section 17, which basically covers continuity of information security and Information and Communication Technologies. Considering that, ISO 22301 covers the continuity of business as a whole, while ISO 27031 can be seen as a tool to implement the technical part of ISO 22301, so implementing it without ISO 22301 wouldn't be a good approach, because you wouldn't take advantage of the business impact analysis process, which helps optimize resources application.
This article will provide you further explanation about Iso 27031:
- Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/ -
Pass or fail audit
Answer:
First you must consider nonconformities and its classification of major and minor.
Normally, any minor nonconformities found in an audit will need to be addressed within a certain timeline, but the certification can be granted when the corrective action plan is received, and the audit team will follow up at the next surveillance audit by the certification body. Major nonconformities might mean that your certification will not be granted until the corrective action is in place and the certification body auditors come and verify that it is effective. But I agree with you, there is some subjectivity from certification body to certification body.
The following material will provide you more information:
- How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
- Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- free online training ISO 9001:2015 Lead Auditor Course
– https://advisera.com/training/iso-9001-lead-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
ISO 9001 vs ISO 27001
Answer:
Being ISO 9001 certified is not an alternative to being ISO 27001 certified.
ISO 9001 is a management system standard for the quality management system, and ISO 27001 is a management system standard for information security management system. While ISO 9001 is about customer satisfaction, ISO 27001 is about information risk reduction.
The following material will provide you more information:
- How to integrate ISO 9001 and ISO 27001 - https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/
- free online training ISO 9001:2015 Lead Auditor Course
– https://advisera.com/training/iso-9001-lead-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Filling templates
Answer: Besides the reference to the ISO 27001 standard and to the implementation project plan (if such document exists) that is already included, you have to include reference to any laws, regulations or contracts that have clauses that can impact on your ISMS (e.g., confidentiality clauses on service level agreements with customers, data protection clauses on laws you are enforced to follow, etc.). For this list you can reference the List of Legal, Regulatory, Contractual and Other Requirements template, that is included in your toolkit on folder 02 Procedure for Identification of Requirements, and include the references to all documents there.
There is no need to include reference to any other document from the toolkit.
2. We have an offshore wholly owned subsidiary in India which operates as a separate legal entity, can we include that in the scope?
Answer: Subsidiaries legally bounded to the main organization can be included in the ISMS scope, but you should evaluate if the effort to maintain two organizations operating on different countries in a single scope is not greater than adopting two separated scopes.
3. During the first audit, the auditor mentioned we needed a 'small scope' that would be printed on the ISO Certificate, which part of the scope is he referring to?
Answer: The auditor is referring to a summary from subsections 3.1 to 3.5 of the ISMS Scope Document (processes and services, organizational units, locations, networks and IT infrastructure and the exclusions of the scope). An example may be:
"The ISMS scope comprises of software development process, performed by our software development department on premises located on address xyz, and the customer support process, performed by our customer relationship department on premises located on address abc."