Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Naming the documents
Answer:
ISO 9001:2015 doesn´t state or require anything on how organizations should name the different documents, so then it will be up to the company how to do it. As you mention in your consultation, usually companies use the following documentation structure:
- level 1 - Quality Manual
- level 2 - Quality Policy
- level 3 - Procedures
- level 4 - Instructions
- level 5 - Records
To learn more about document structure and naming, see these materials:
- Article - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- Book - Managing ISO documentation: a plain English guide: https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Handling risk
Answer:
When it comes to risk treatment, there are four general options: mitigate, avoid, transfer and accept. So, in a sense, even raw risks can be considered residual risks (when the chosen treatment for them is to accept the risk).
Regarding organization's risk appetite, it helps to define which kind of risks are acceptable or not, and on which degree the cheapest treatment alternatives are acceptable (the higher the risk appetite, the higher the risks an organization is wiling to accept, and more prone it is to adopt cheaper treatments). So regarding residual risk, the higher the risk appetite, the higher will be the number of raw risks in the residual risk list. Regarding the other risk treatment alternatives, there is no definitive answer, because for each scenario the cheapest treatments will be different.
For more information, see:
- Risk appetite and its influen ce over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/ -
NIST 800-171, Aerospace standards, CIS 20, NIST 800-53 with ISO 27001 Standards
Answer:
NIST 800-171, NIST 800-53, and CIS 20 (Center for Internet Security) provide detailed information for implementation of some controls related to ISO 27001 Annex A, so to integrate these controls to ISO 27001 you have to map the relationship between them. NIST documents already have annexes that identify these relations (NIST 800-171 Annex D and NIST 800-53 Anex H). Unfortunately we are not experts on CIS 20 to inform you have such relations already been mapped.
Regarding Aerospace standards, without details about which one you are referring to, we are unable to provide a proper answer.
These articles will provide you further explanation:
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/ -
Internal auditor job
Answer:
Usually internal auditors are consultants, professionals with experience and enough knowledge implementing and maintaning management systems. You can work for a company as a consultant where usually part of job is conducting internal audits, or if you have enough experience, work as a freelancer providing consulting services such as internal audits. In this latest case you will need to develop a contact network in order to gain new clients and advertise your services in specialized websites.
For more information about working as an internal auditor, see these materials:
- Article - How to become an ISO 9001 consultant: https://advisera.com/9001academy/blog/2016/11/15/how-to-become-an-iso-9001-consultant/
- Book- ISO internal audit: a plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Webinar - How to sell ISO consulting services: https://advisera.com/9001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/ -
Performing Gap Analysis
Answer:
The best approach is to develop a checklist of which items you need to verify, and which results you have to find to define if there is a gap or not. Based on that approach it is easier to develop action plans to eliminate the gaps.
Regarding ISO 27001, I suggest you to take a look at our free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
It was developed as a simple question-and-answer questionnaire so you can visualize which specific elements of an information security management system are already implemented, and what is still needed to do.
For more information, see:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/ -
Concienciar a la gerencia
Respuesta:
Ambas cláusulas, la cláusula 4.2 que versa sobre entender las necesidades y expectativas de las partes interesadas y la cláusula 6.1, sobre acciones para abordar los riesgos y las oportunidades son realmente cruciales en la implementación de la norma ISO 9001:2015. Informar a la alta dirección de forma clara ambas cláusulas, su importancia para que la implementación se realice con éxito, así como la relevancia de sus responsabilidades en estos dos procesos ayudará a la gerencia a concienciarse sobre estos puntos.
Para concienciar a la gerencia sobre el proceso de implementación de la norma pueden emplearse una serie de indicadores para demostrar que el SGC también es cuantificable, eligiendo aquellos indicadores que más importan a la dirección como son los gastos o las incidencias. Esto es especialmente evidente en actividades dentro de una organización como mantenimiento de equipos, seguimiento de procesos de fabricación, análisis de caus as de no conformidades, etc.
Que la alta dirección sea plenamente consciente de los beneficios de un sistema de gestión es fundamental pata que se traslade a los empleados, que lo verán de la misma forma.
Estos materiales pueden ser de ayuda para concienciar a la gerencia sobre el SGC:
- Artículo - Cómo asegurar la competencia y la concienciación en ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-asegurar-la-competencia-y-la-concienciacion-en-iso-90012015/
- Article - To what extent should top management be involved in your QMS: https://advisera.com/9001academy/blog/2016/11/22/to-what-extent-should-top-management-be-involved-in-your-qms/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Recovering an ISMS implementation
Answer:
The main points here are to focus on business benefits, low costs and quick wins.
To resume a poorly implemented ISMS, or convince management to implement security practices without external enforcement, you should focus on solving problems your areas are currently undergoing (e.g., low performance on KPIs, unplanned downtime, rework, non compliance fines, missed deadlines, etc.), by means of quick implementation of controls based on solid risk assessments (and less focus on the other elements of the management system).
It may seem odd to start like this, but the point is to try to gain/regain top management commitment and people's trust in information security (few but effective controls will help you with that), and only after achieving that you should try to demonstrate that in the long run the gains can only be maintained with the help of the other elements of the management system (e.g., in internal audit, management review).
These articles will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/ -
Risk assessment monitoring
Answer:
Risk assessment should be monitored against recorded events, incidents and non-compliances, processes performance results, and changes on the context of the organization.
All these inputs can show trends on risks that may require risks on the risk assessment to be adjusted to fix it, either by means of including/excluding risks, changing probability and/or impact values of existent risks, or by changing the treatment or controls for those risks.
These inputs are often considered during periodic process performance evaluation or during management review.
These articles will provide you further explanation about monitoring:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/ -
Customer satisfaction
Answer
I will focus mainly on frameworks/standards that advisera covers and can be useful for you. We have customer satisfaction in scope of ITIL/ISO 20000 and ISO 9001 documentation toolkits. You can use described methodology as well as templates to measure IT units' customer satisfaction.
Please check the templates for
ITIL/ISO 20000 - https://advisera.com//wp-content/uploads//sites/6/2015/06/App_3_Cust_Satisf_Survey_Premium_EN.pdf
https://advisera.com//wp-content/uploads//sites/6/2015/06/Business_Relationship_Mgt_Process_Premium_EN.pdf
ISO 9001 - https://advisera.com/9001academy/iso-9001-documentation-toolkit/ (see "CUSTOMER SATISFACTION" section)
Also, see the articles:
"Main elements of handling customer satisfaction in ISO 9001" https://advisera.com/9001academy/blog/2014/07/01/main-elements-handling-customer-satisfaction-iso-9001/
"ITIL Customer satisfaction – Design driven by outcomes" https://advisera.com/20000academy/blog/2014/07/08/itil-customer-satisfaction-design-driven-outcomes/ -
Scope and certification
Answer:
That will depend upon your ISO 9001 QMS scope.
A certified ISO 9001 QMS is not necessarily applied to all activities of an organization. An organization can tailor the scope of the QMS in order to only be applicable to part of a business. For example, I worked with a shoe manufacturing company with two businesses: uniform shoes and fashion shoes. They decided to certify only the uniform shoes part of the business. Once your organization decides about the scope, all projects within that scope must follow the ISO 9001 QMS rule, to avoid misleading customers. Remember, scope definition is not a technical issue, it is a management decision.
The following material will provide you information about scope definition:
- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/