Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Different risks in AS9100
Answer:
The latest revision of AS9100 includes two sections that discuss risk. Clause 6.1 is a new section of the standard and brings in the concept of risk-based thinking as it was introduced into ISO 9001:2015. This section talks about identifying risk for the QMS at the top level of the planning process. These are overall company risks such as learning that a supplier or competitor is going out of business that may affect your company (Think of the opportunities and threats from a strategic SWOT analysis that top management might do). This section of the standard requires that you identify these top-level risks and determine if anything needs to be done about them.
Clause 8.1.1 on operational risk management is not a new requirement for AS9100, and is very much th e same as the previous revision of the standard. As identified in Note 1 for this clause the requirements are limited to managing the risks associated with the operational processes needed to provide products and services. This clause talks about how you control risks such as potential schedule delays, short delivery schedules, high-risk parts, etc.
For more on this see the article: 5 key elements of risk management in AS9100 Rev D, https://advisera.com/9100academy/blog/2017/05/15/5-key-elements-of-risk-management-in-as9100-rev-d/ -
ISO 9001 and ISO 13485 internal auditor requirements
Answer:
Auditors should dominate the audit criteria used.
ISO 13485 includes the entire ISO 9001 standard with additional requirements.
So, your organization’s internal auditors can have ISO 13485 awareness training or can have ISO 9001 awareness training with an additional module about what is specific of ISO 13485.
Remember, organizations have the authority to define internal auditor competence requirements.
The following material will provide you information about integrating ISO 9001 and ISO 13485:
- ISO 9001 vs. ISO 13485 - https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/
- What is ISO 13485? - https://advisera.com/13485academy/what-is-iso-13485/
- free online training ISO 9001:2015 Internal Auditor Course - https://community.advisera.com/topic/iso-9001-and-iso-13485-internal-auditor-requirements/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Integrating ISO 9001 and ISO 27001
I am part of the Quality Department and we are following ISO 9001. We are in charge of the documented information of all departments across the company, including support departments (Finance, Human Resources, and Information Technology). We are the ones who create, update, and delete the documented information. However, our Information Technology Department is the one managing our server and cloud for back-up.
Our Information Technology Department is on the process of adapting ISO 27001:2013. They have a backup policy and asset management policy.
Their asset management policy covers their documented information, which we manage in QMS.
As a company, we wish to centralize the control of documented information, and if possible, integrate the two standards.
What would be the best course of action that we have to take? Who should be handling the documented information/digital assets?”
Answer:
You can centralize the control of document ed information and have common rules because the requirements from both standards are practically the same.
About who should be handling the documented information/digital assets, that is a management decision, not a technical one. Your organization can distribute handling responsibilities among different persons.
The following material will provide you information about the integrating ISO 9001 and ISO 27001:
- ISO 9001 – How to integrate ISO 9001 and ISO 27001 - https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/
- Clause-by-clause explanation of ISO 27001 - https://info.advisera.com/hubfs/27001Academy/27001Academy_FreeDownloads/Clause_by_clause_explanation_of_ISO_27001_EN.pdf?t=1485510137139
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 9001 vs ISO 9011
Answer:
There is no relation between ISO 9001 and ISO 9011. ISO 9011 is a standard about “Synchronous belt drives -- Automotive pulleys”. Are you confusing ISO 9011 with ISO 19011? ISO 19011 is a standard with guidelines about auditing management systems, like quality management systems or environmental management systems.
The following material will provide you more information about the relationship:
- ISO 9001 – ISO 9011: Don’t confuse it with ISO 9001 or ISO 19011 - https://advisera.com/9001academy/knowledgebase/iso-9011-dont-confuse-it-with-iso-9001-or-iso-19011/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Certifying organizations
Answer:
To certify an organization your company has to be accredited by an accreditation body (e.g., UKAS for UK, or ANAB for USA), and for this purpose your organization has to be certified by an accreditation body against ISO/IEC 17065. You can have an overview of this standard here: https://www.iso.org/obp/ui/#iso:std:iso-iec:17065:ed-1:v1:en
This article will provide you further explanation about accreditation and certification:
- Accreditation vs. certification vs. registration in the ISO world https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/ -
Making an auditor CV more interesting
Answer:
If you normally work with organizations that use and value Lean Six Sigma, owning that competence can make your CV more interesting for potential clients of your auditing services. Remember, auditing a quality management system is not only about the standard but also about internal practices and procedures.
The following material will provide you information about auditing competence:
- Requirements for competence of IATF 16949 internal auditors - https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/
- free online training ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Becoming internal auditor
And I am interested in TUV Nord certification for internal audit and also want to know how to make career in TUV organisation. I want to become internal auditor.
Answer:
To become an internal auditor you only need to attend an accredited internal auditor course and be approved on the final exam. Since you are considering a career as auditor for organizations like TUV, you should consider a lead auditor course, and you also need to perform audit hours, so you can be a certification auditor, .
Regarding career at TUV, you should contact them directly to know their career path.
These articles will provide you further explanation about becoming a lead auditor:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding becoming a lead auditor:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
- ISO 27001:2013 Lead Auditor course https://advisera.com/training/iso-27001-lead-auditor-course/ -
Maintaining GDPR documentation
Answer: You would need an Inventory of Processing Activities only if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation); or (e) the processing includes personal data relating to criminal convictions and offenses.
A DPIA is necessary only if the type of processing is likely to result in a high risk to the rig hts and freedoms of individuals. To assess whether something is ‘high risk’, the GDPR is clear that you need to consider both the likelihood and severity of any potential harm to individuals. ‘Risk’ implies a more than a remote chance of some harm. The DPIA Register in the EU GDPR Documentation Toolkit has the first questions set up as threshold questions. If your answer to any of those questions is "Yes", then you need a DPIA.
2. Do we have to always perform both of these activities every time we use the customers' data? Does this only apply to customer's data that resides in EU?
Answer: No, you just need to do it once as long as the processing stays the same. It should only be undertaken if the personal data processed is of data subjects in the Union. -
GDPR processor question
Answer:
Your question is much too broad to be able to provide you with a spot on answer. What I can suggest is setting up a process for detecting and reporting data breaches to the data controllers, training your staff on how to manage personal data in a responsible manner, regulating any international data transfers if any, making sure you can respond to requests form data controllers asking you to delete, modify or transfer personal data. To find out more about the EU GDPR, check out our free EU GDPR Foundations Course(https://advisera.com/training/eu-gdpr-foundations-course//). -
ISO 27001 and COBIT
I mean can an organization using COBIT alone have an ISMS in place exactly just like if using 27001?
Answer:
Although COBIT and ISO 27001 have some requirements in common, some requirements are exclusive for each framework, so it is not possible to be compliant with ISO 27001 only by fulfilling COBIT requirements.