Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
A quality plan can help
Answer:
I don’t know the purpose of that sampling that you made, but if I collected samples from a supplier and gave them for testing, I would want to keep a sample with me, a kind of “sample testimony”. Later, if you are suspicious of any thing you can take that testimony and request further testing by your team or a third party.
To prevent any future problem, I advise you to create or update your quality plan. The following material will provide you information about quality plans:
- ISO 9001 – Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/
- free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9 001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Implemented controls
Answer:
Our experience show us that companies typically have ca 80 controls implemented before the start of an ISO 27001 project, and then they have ca 20 to 30 controls to implement during the project.
The quantity of implemented controls does not have a direct impact in the certification, because information security management is about balancing needs and expectations with the level of acceptable risks (similar organizations may have different number of implemented controls and both can be certified).
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.co m/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
This material will also help you regarding selecting controls:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Filling templates
Answer:
Since you already have identified the interested parties, now you have to identify the documents in which their requirements can be located (e.g. service level agreements, outsourcing contracts, laws, industry regulations, etc.), and the precise requirements that must be fulfilled (e.g., the clauses).
For example, a customer has a service level agreement with your company which defines, on clause 32-b, that access to all information provided by the customer to information system ABC are restricted to customer personnel only. In this case the person responsible for syste m ABC is the responsible to ensure compliance of the system to this requirement. Then your document would be like this:
Interested party: Customer Jon
Requirement: Clause 32-b (Information provided to system ABC are restricted to customer's personnel)
Document: Service level agreement
Person responsible for compliance: System ABC administrator
Deadline: when system ABC is made available for customer use
This article will provide you further explanation about identifying requirements:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ -
ISMS manual
Answer:
In fact ISO 27001 requirements do not prescribe the development of an ISMS Manual, and for good reasons. If you put all the policies and procedures into a single document, this will make the reading of such document very difficult. Additionally, the standard already has a requirement for a document that describe how a company will implement its information security – it is called Statement of Applicability.
This article will provide you further explanation about ISMS Manual:
- Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
This material will also help you regarding ISMS Manual:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Access profiles
1. User Profile A (which Profiles are expected to be captured here?)
2. User Profile B (which Profiles are expected to be captured here?)
Answer:
As example for profiles you can have Administrator profile (Profile A) and Common user profile (Profile B).
For an operational system you can have the following access rights:
- Administrator: read and write on flies and alter system configurations
- Common user: read and write on flies only
For an corporate networks you can have the following access rights:
- Administrator: remote access to internal networks and full access to Intern
- Common user: internal network access only
This article will provide you further explanation about access control:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
This material will also help you regarding access control:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Scope of information security
Answer:
ISMS compliant to ISO 27001 means to protect the information in all formats it exist, so if you have the same information on digital and hardcopy format, you have to evaluate risks for both formats and apply security controls properly to each format.
These articles will provide you further explanation about ISO 27001:
- ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Imp lementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security. -
Who can be internal auditor?
Answer:
An internal auditor specialized for finance and general operation of the organization, can conduct QMS internal audits and be the internal auditor as long as he or she has knowledge of ISO 9001 and ISO 19011.
Today I spoke with a Quality Manager at a manufacturing plant that once worked at a bank, he told me that it was standard practice that auditors at the bank after finding a nonconformity proposed the action to close it, a practice not followed in the quality world.
The following material will provide you information about internal audits:
- ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Extending the scope
Answer:
Yes, you can change your QMS scope in your next surveillance audit. That change is called "scope extension". You must inform your certification body in advance, that extension can make them need to find a different auditor with different experience, or can increase audit time.
Naturally, I assume that the QMS will be fully implemented in the extended scope.
The following material will provide you information about scope:
- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Personnel certifications
Answer:
IATF 16949 is management system standard for the organizations. An organization can be certified based on its requirements.
Individual certification can be done for auditors so you can become an internal or external auditor for IATF 16949. As an internal auditor you can perform internal audits in your company and as external, you can work for certification body as an auditor.
Certification for auditors is done based on some recognized certification scheme for personal and there are many organizations that offer this services.
Also, there are some organizations where you can gain a certificate for the Lead implementer, Core Tools for IATF 16949 and similar.
If you are interested in personnel certifications we would recommend this webinar: https://advisera.com/9001academy/webinar/personnel-certification-vs-course-certifications-what-are-the-differences-free-webinar-on-demand/
On our Advisera eTraining website you c an gain personal certification for ISO 9001 that is basic for IATF 16949:
https://advisera.com/training/ -
Implementing ISO 9001:2015 at an NGO
For me, according to my experience, the big difference between NGO’s and companies, with regard to the implementation of an ISO 9001:2015 QMS, is that we don’t have the classic customer, but we have, at least, two kinds of “customers”:
According to its purpose: to whom the NGO works?
Who is going to finance the NGO operation?
That is why I consider that with NGO's I believe that clause 4.2 of ISO 9001:2015 is even more important, more relevant than for companies. For example, I can think about:
* Those we work for
* Those who finance us (can be members of the NGO, can be governments, or can be patrons)
* Those who help us
* Those who provide us with products and services
* Those that regulate us
* Those that work for us (employees)
Then, the next step is mapping the main processes, once that is done the rest will be like implementing a QMS within a company.
For example, consider an NGO that has by a purpose to help people suffering from particular chronic illness:
The main processes will transform a “person in need” into a “person with” – gather a team from your NGO and with sticky notes draw the flow.
Those main processes to be executed need financing. For example, part of that financing will come from members of the NGO that contribute with an annual or monthly fee:
The NGO shall have a Membership process in place that receives contacts from persons that care for those that suffer from that particular chronic illness in order to transform them in members that support the organization. Naturally, the NGO shall have activities to proactively look for potential persons that care and can become members. The NGO shall have a Communication process to demonstrate to its members that their money is well used, by communicating results, outcomes, effectiveness and being responsible with the money received.
Now one can think of patrons that can help, what process(es) can exist to attain that purpose? One can think of doctors that can act as volunteers for the NGO: how to attract them? How to work with them? More processes.
You can find more information about implementing ISO 9001 in a nonprofit organization in the following links:
- ISO 9001 – Should universities implement ISO 9001? - https://advisera.com/9001academy/blog/2015/04/21/should-universities-implement-iso-9001/
- free online training ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/