Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Quality objectives or KPI in QMS Manual?
Answer:
The QMS Manual should have quality objectives established at the beginning as it much easier to track the effectiveness than KPI for a single department and it also provides a broader goal that the company is working toward for its Quality Management System. The objectives can be specified within or out of the Manual as ISO 13485 does not specify where the objectives need to be documented.
For more information, please refer to :
-How to manage the Quality Manual according to ISO 13485:2016 requirements: https://advisera.com/13485academy/knowledgebase/how-to-manage-the-quality-manual-according-to-iso-13485-requirements/
-Setting good quality objectives for ISO 13485: https://advisera.com/13485academy/knowledgebase/setting-good-quality-objectives-for-iso-13485/ -
Integrating management system context
2. We are in the process of implementing ISO 9001:2015 in a dairy company and we are writing down our processes but can't cleary figure out the difference between work instructions and procedures e.g. should the stepwise description of how to determine butter fat content of milk be a procedure or a work instruction Kindly assist.
Answers:
1) You are partially correct. Due to Annex SL, the ISO document that dictates how they will structure management system standards, the requirements for context of the organization are almost identical. This means that you can use the sam e process for developing the context of the organization for each standard you implement, but this does not mean the output will be identical. For instance, your customers will be very interested parties for your quality management system (QMS), but not as much for your environmental management system (EMS). Likewise, your government agency for the environment will be interested in your EMS, but may not be at all interested in the QMS. The same thought needs to be applied to your internal and external issues, some issues will not be applicable to all management systems. The policy for each management system will very likely be different as well.
2) Work instructions are a special type of procedure, so it is not surprising that confusion exists. A procedure is simply a specific way of doing a process if this is required. A work instruction is a step-by-step procedure for a specific task, such as the stepwise instruction you mentioned.
For a better understanding of how to structure documentation in the QMS see this article, “How to structure quality management system documentation”; https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/ -
ISO 9001 and Lean
Answer:
First of all, just to state that ISO 9001 and LEAN it is not an either/or choice; both can be used.
An organization can pick ISO 9001 because it is a customer requirement because it’s lack is a barrier to start working with new customers, because it is a way of reducing variability in organizations, because it is a way of a creating a continual improvement culture. LEAN methodologies can be a way of implementing the continual improvement mentioned in ISO 9001 because it is a way of identifying and systematically eliminate/reduce waste in organizations.
The following material will provide you with information about ISO 9001 and Lean:
- ISO 9001 – ISO 9001 vs. Lean: How they compare and how they are different - https://advisera.com/9001academy/blog/2014/07/22/iso-9001-vs-lean-compare-different-2/
- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- free online training ISO 9 001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
What will happen to OHSAS 18001?
Answer:
There are many companies around the world that create and issue standards, two of these are the British Standard Institute (BSI) and the International Organization for Standardization (ISO). ISO has issued the ISO 45001 standard, and BSI had issued the OHSAS 18001 standard. While the ISO organization has countries from around the world vote on the standards it releases, an organization like BSI does not. As such, the ISO standards are recognized around the world as the best practice in the international community. By comparison, the BSI standards are recognized by some countries but not others.
For a comparison of what will happen it is helpful to loo k at the ISO 14001 standard. This was also a different BSI standard before it was adopted by ISO. Once the ISO standard was issued the BSI standard was made obsolete shortly after the fact and no longer updated. The same thing is expected to happen here, the ISO 45001 standard has become the internationally recognized standard, and BSI will make the OHSAS 18001 standard obsolete, at which time certification bodies will not audit against this standard and OHSAS 18001 will not have any other releases. There has been no merger of companies, just that the standard for occupational health & safety is now internationally recognized in ISO 45001. The BSI organization does much more than just maintain standards, and will continue to exist for many other reasons.
To help transition from OHSAS 18001 to ISO 45001 I suggest looking into our whitepaper, “Twelve-step transition process from OHSAS 18001 to ISO 45001”, https://info.advisera.com/45001academy/free-download/twelve-step-transition-process-from-ohsas-18001-to-iso-45001 -
Why ISO/TS 16949 is changed with IATF 16949
Answer: Management system standards issued by ISO, like every other standard, have a review period. The review period is around 7 years. This standard represents mutual best practice in the field of automotive industry, as the industry is moving forward very fast standard must adapt and put the level of quality requirements higher. There is always a transition period of 3 years, so organizations have to comply until 2019 with new IATF 16949:2016. Organizations have to comply with the new version of the standard since the old one is not valid after the transition period. If the organization is certified against the old version of the standard (ISO/TS 164949), this certificate will not be valid anymore. 2. What is the difference? Answer: Like every new version, the standard has new requirements and it is following Annex SL structure. To find out more information please feel free to look at the following materials: - IATF 16949:2016 vs. ISO/TS 16949:2009 Matrix: https://info.advisera.com/16949academy/free-download/iatf-16949-2016-vs-iso-ts-16949-2009-matrix - Key benefits of IATF implementation: https://advisera.com/1699academy/knowledgebase/key-benefits-of-iatf-16949-implementation/ - ISO/TS 16949:2009 vs. IATF 16949:2016 Conversion Tool: https://advisera.com/16949academy/isots-169492009-vs-iatf-169492016-conversion-tool/ -
Risk assessment
1. Identify risk (Threat and vulnerability) is responsible by asset owner? If true, how do they identify?
Answer:
The asset owner is responsible for protecting and managing an asset in a company, so he has to ensure risks are identified, either by performing risk identification by himself or by working with other people (e.g., experts on the asset or people who use them on a daily basis). Since ISO 27001 does not prescribe who must perform risk identification, both approaches are valid, and you have to consider your organization context (e.g., asset owner experience and knowledge) to chose the proper approach.
Regarding how to perform risk identification, I recommend you to use catalogues such as this one: Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
These articles will provide you further explanation about asset owner and risk identification:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
2. Assessing consequence and likelihood of risk is responsible by risk owner?
Answer:
Risk owner is a person designated to solve a risk, and to do so he must be responsible for performing consequence and likelihood assessment, either by himself or with support of other personnel.
This article will provide you further explanation about assessing likelihood and consequence:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
3. So for the one who is responsible for Risk assessment just pick up from them and then do the risk assessment?
Answer:
Risk assessment is the combination of risk identification, risk analysis and risk evaluation, so it is not a simple question of picking up risks, but identify them, define values for them, so they can be prioritized, and evaluate them against your criteria, so you can decide which ones have to be treated.
These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Toolkit content
The following appears to be missing from our folder:
A.5– Information Security
A.18– Compliance
Answer:
First of all, sorry for this confusion.
The documents from sections A.5 and A.18 are not missing from the toolkit – you can find them here:
- A.5 – all the documents from folder “08AnnexA” cover the requirements about information security policies (A.5.1.1) and review of the policies (A.5.1.2)
- A.18 – these documents are covered in the toolkit in folder "02 Procedure for identification of requirements” -
ISO 20000 and ISO 9001
Answer:
I assume - you will implement ISO 9001 and then ISO 20000. Yes, implemented QMS can help you. There are some common elements and there are some that are extended in ISO 20000 (after you implement ISO 9001).
This material can help you further:
"ISO/IEC 20000-1:2011 vs. ISO 9001:2015 matrix" https://info.advisera.com/20000academy/free-download/iso-iec-20000-1-2011-vs-iso-9001-2015-matrix -
1st and 2nd level support
Answer:
That depends on many parameters, but generally, here are more details (without knowing your organization, services, etc.).
First of all, see how many people you need on your 1st line. Then try to avoid to put your best people (usually most expensive and most usable on other, more complex places) if your 1st line is doing simple activities (opposite view if your support is complex in nature). Check also if you can afford to have a lot of resources dedicated to the services (e.g. few maintenance contracts). If you have a lot of issues with unknown root cause (Problem Management) - most probably you'll need more resources on 2nd level.
Here are few articles with more details:
"Service Desk: Single point of contact" https://advisera.com/20000academy/knowledgebase/service-desk-single-point-contact/
"
Service Desk staff – a window to the IT organization" https://advisera.com/20000academy/blog/2014/02/18/service-desk-staff-window-organization/ -
Cross-border data transfers
Answer:
If you create the accounts an not the employees themselves, then this may be a transfer of personal data provided that the employees are in the EU. However, most of the cloud providers already have transfer mechanisms in place. For example, DropBox has a Privacy Shield Certification (https://www.dropbox.com/help/security/data-transfers-europe-us ).