Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Internal Audit in ISO 45001


    Answer:
    Just like other management systems, the ISO 45001 internal audit is based on the process audit. This means that you prepare for the audit by reviewing the OHS requirements for the process, then assess the process using interviews, observation and review of records to compare what is actually happening meets with the planned requirements for the process. Your audit plan will need to be as detailed as necessary to inform those involved of what you intend to look at during your audit, such as an email or a standard form that identifies all the necessary information.
    For more information on audits in the OHSMS, see this article, “How to perform internal audits in ISO 45001”; https://advisera.com/45001academy/blog/2015/09/23/how-to-perform-internal-audits-in-iso-45001/

  • How to implement GDPR in big companies?


    Answer

    This is mostly up to you. You can have a set of documents for each of the subsidiaries if there are differences between them. For example, the employee privacy notice will be relevant only for the employees in the EU.
    If everything is the same, you can have a set of documents applicable to all companies within your group. In this case, you will need to add a paragraph to mention the applicability across the whole group.

  • Manual for company with subsidiary


    Answer:
    ISO 9001:2015 no longer requires a quality manual. Being so, there is nothing in ISO 9001:2015 that forbids doing what your company want to do. Your quality manual can even be a symbol or a tool to reinforce the relationship between the two parts of a whole.

    The following material will provide you information about quality manuals:
    - ISO 9001 – Writing a short Quality Manual - https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/
    - The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
    - free online training ISO 9001:2015 Foundations Course – https://training.adviser a.com/course/iso-90012015-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Risk assessment and treatment for ISO 27001 and ISO 22301


    I was looking through the list of documents that are mandatory for ISO 27001 and ISO 22301; and I can see that the Risk Assessment and Risk Treatment Methodology document is mandatory for both ISO 27001 and ISO 22301. My question is can I use her Risk Assessment and Risk Treatment Methodology document to cover both ISO 27001 and ISO 22301 or do we need to produce separate Risk Assessment and Risk Treatment Methodology documents (One to focus on information security and one to focus on business continuity and disaster recovery)?

    Answer: You can use the Risk Assessment and Risk Treatment Methodology document to cover both ISO 27001 and ISO 22301 requirements with no problem.

    These articles will provide you further explanation about Risk Assessment for ISO 27001 and ISO 22301:
    - How to organize initial risk assessment according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/04/29/how-to-organize-initial-risk-assessment-according-to-iso-27001-and-iso-22301/
    - Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/

  • Enrollment Process in Elementary School


    Answer:
    First, consider the difference between process and procedure. A process is a set of activities that transform inputs into intended outputs. A procedure is the description of a process, if documented it is a documented procedure.

    Look into the Enrollment in Elementary School as a flow of activities. Where does it start?

    * Present school; (perhaps your school organizes an open day to show the school to prospective fathers for them to get a glimpse into a class and meet and talk to professors and staff, see children, question school administration)
    * Receive parents; (perhaps there is a time frame for enrollment, perhaps there is a special room to receive parents and help them do the paperwork)
    * Receive documentation; (perhaps there is documentation that government or other organization requires parents to provide, that then must be checked)
    * Check specials needs and requirements;
    * Fill records;
    * Deliver enrollment documentation.

    This is a very generic description of what can be an enrollment process in a school.
    Does your school need, or feel that need documented procedures to explain in detail one or more activities?
    How will your school evaluate enrollment process performance? For example, is open day activities useful and effective? How many problems with documentation are found after the process ends?
    What kind of records are required by law or by the school administration? For how long they will be kept?

    These are examples of the topics to consider when thinking about an enrollment process in school with a quality management system.

    The following material will provide you information about process vs procedure:
    - ISO 9001 – Watch Your Language! Don’t confuse processes with procedures - https://advisera.com/9001academy/blog/2014/11/04/watch-language-dont-confuse-processes-procedures/
    - Should universities implement ISO 9001? - https://advisera.com/9001academy/blog/2015/04/21/should-universities-implement-iso-9001/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Separate procedures for contractor and subcontractor

    For clarification, we are a telecoms infrastructure provider. We do site build that involves civil and telecom works.”

    Answer:
    There is nothing in clause 4.2 of ISO 9001:2015 that forbids an organization of doing what you want to do. More, there is no clause in ISO 9001:2015 that goes against that practice.

    What I recommend in each procedure is being very clear about the scope of application.

    I can think that you r company and its subcontractors want and are concerned with quality control, cost control and time control. I can imagine a situation where your company is OK with quality and time performance but wants to improve cost control performance. At the same time, for your company as long as subcontractor’s quality and time control are OK, cost control is not a problem because your company only pay what was agreed. One can imagine a situation where subcontractors control costs more effectively than your own company and improving cost control is not a priority.

    The following material will provide you information about subcontracting:
    - ISO 9001 – How to control outsourced processes using ISO 9001 - https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • EU GDPR and scrapping data

    We've received an additional question:

    > If a crawler like Google is allowed to crawl data from webs, may I crawl Google data with an app? In other words, am I allowed to crawl a crawler?

    Answer:

    Google, like many others, has Privacy Notices, Privacy Policies as well as other documents and tools to enable users to understand what is happening with their data and to allow them to exercise some of their rights. I am not saying they are perfect, not by a long shot but they at least have something. And an army of well-prepared lawyers. Still, they failed numerous times and have just paid 50 mil euros fine in France.
    So, long story short - you can try to act like Google but you need to be ready to face the consequences if you don't comply with the privacy laws especially the EU GDPR.

  • ISO 27001 Lead Auditor


    Answer: To be qualified as an ISO 27001 Lead Auditor you have to attend an ISO 27001 Lead Auditor course, and for this course there is no previous requirement needed, so you can start you auditor career with ISO.

    This article will provide you further explanation about becoming an Iso 27001 Lead Auditor:
    - How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/

    2 - And I am confused between the ISO Body mail bodies are PECB and IRCA but there are other like GAQM and IGC so are these equally known like the main ones?

    Answer: PECB and IRCA are accreditation bodies (organizations that authorize organizations to issue certificates), while GAQM and IGC are accredited certifica tion bodies and training providers (organizations that perform certification audits and provide trainings). Depending on your location, some certification bodies and training providers will be more recognized than others, so you have to check which provider will add more value to your certification.

    Advisera also provides accredited ISO 27001 Lead Auditor course, and you can read more information at this link: https://advisera.com/training/iso-27001-lead-auditor-course/
    This article will provide you further explanation about accreditation and certification:
    - Accreditation vs. certification vs. registration in the ISO world https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/

  • Toolkit content

    We have received futher question:

    > The matter is still confused to me. The source of the information for the possibly missing document is this link: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    > At the above link you can read this line in the paragraph of mandatory document: “Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)” The Information Security Policy template doesn't mention in its references the clauses A.7.1.2 and A.13.2.4, so it cannot be the template covering these clauses. Clause 5.3 is cited instead, and it is clearly related to the definition of roles and responsibilities. It also appears that clause 5.3 is completely on a different topic that missing clauses A.7.1.2 and A.13.2.4. Can you please clarify the matter?

    Answer: I'm sorry about this confusion. Here are the answers:
    - Clause A.7.1.2 is covered in documents "Confidentiality statement" (toolkit folder 08 - A.7 Human Resources Security) and "Security Clauses for Suppliers and Partners" (toolkit f older 08 - A.15 Supplier relationships)
    - Clause A.13.2.4 is covered in document "Confidentiality statement" (toolkit folder 08 - A.7 Human Resources Security)

    The two documents above describe general roles and responsibilities; as my colleague has described above, each of our policies and procedures further enable the definition of detailed roles and responsibilities.

    By the way, in the root folder of the toolkit you'll find a document called "List of documents" which specifies which clauses of the standard are covered with which toolkit document.

  • Design of processes - applicability

    I have one doubt about the exclusion of clause 8.3 Design and development.
    In my opinion, nobody can exclude this clause because design and development mean not only design of the product but also the design of the process and the processes are particular for each organization and has to be completed by each organization!”

    Answer:
    Thank you for your kind words, glad you appreciated!
    During the webinar, because time is short, I develop this figure:https://www.screencast.com/t/6oWcA7Qr
    During offline training, I develop this one because I have more time: https://www.screencast.com/t/EtxdizG50Jv

    The green company is a real case that I audited some years ago. They had no own brand, they did not design the products, but they were picked by customers because they were very good at developing finishing processes that made products stand out as different.

    Back to your question, imagine that you buy a plastics injection machine, you receive a mold from the client , you buy the raw-materials and start to manufacture plastic parts for the client. There is no real process design or product design. Most of the time organizations truly do not design processes and auditors do not expect them to do it. So, in your shoes I would think openly: do this organization stands out for anything they do differently with their processes? If yes, clause 8.3 is applicable. If not, you can consider clause 8.3 not applicable and justify it.

    The following material will provide you with more information about applicable clauses:
    - ISO 9001 – What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 627-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +