Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Approval for the residual risk
Answer: The best way is to define a risk assessment and treatment methodology, so you can define which steps have to be performed (e.g., identify, analyse, evaluate and treat the risks, as well as get approval of residual risks) and which one is responsible for them.
2. Where and how to document it? And does it need documenting?
Answer: You have many options where you can document the approval for the residual risks: the approval could be on a separate document, within SoA (as in our toolkit), or on the risk assessment and treatment report. This approval, like other information gathered during the risk assessment and treatment process are requirement for ISO 27001, and must be documented.
To see a complete set of document for risk assessment and treatment, please take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
Th ese articles will provide you further explanation about risk assessment and treatment process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
These materials will also help you regarding risk assessment and treatment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Risk assessment methods
Answer:
Besides asset based, the other most common approach is the scenario based risk assessment. For additional methods, we can suggest you to take a look at the ISO 31010 standard (www.iso.org/standard/51073.html), which will provide you examples of other risk assessment methodologies, including the scenario-based approach.
This article will provide you further explanation about ISO 31010:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/ -
Differences between process based and asset based risk assessments
Best approach is to use combined approach. During the process based Risk Assessment, make sure to identify the IT assets supporting the process and risks related to those assets.
-
ISO 27001 implementer
Answer:
There is no requirement to go for ISO 27001 Lead Implementer to act as internal auditor, but you can consider this as an opportunity to have another view of the implementation process and enhance your skills to audit an ISMS.
These articles will provide you further explanation about ISO 27001 lead implementer:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
This material will also help you regarding ISO 27001 lead implementer:
- ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/ -
Metodologías para abordar riesgos
Respuesta:
Existen una gran variedad de metodologías para abordar los riesgos. Sin embargo, siempre recomiendo realizar este análisis de la manera más sencilla, que podría ser mediante un análisis DOFA llevado a cabo en una reunión con las personas y cargos más relevantes dentro de la organización. Más adelante, cuando se obtenga más información mediante, por ejemplo, los registros generados del sistema de gestión de calidad, ya se podría plantear la opción de llevar a cabo metodologías más complejas.
Otros de los métodos más empleados para la identificación y análisis de riesgos se trata del FMEA (por su siglas en inglés: análisis de modos de fallo y efectos), que se lleva a cabo durante el diseño de un producto o un proceso. El objetivo de este análisis es identificar los problemas potenciales que pueden aparecer tanto en un producto como en un proceso, identificar la criticidad general del riesgo y decidir qué medidas tomar .
No obstante, puede utilizar la norma ISO 31001 para desarrollar el proceso de gestión de riesgos.
Estos materiales pueden servirle de ayuda para comprender los riesgos en ISO 9001:2015
- Artículo - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Artículo: Similarities and differences in risk management in ISO 9001, ISO 31001 and ISO 27001: https://advisera.com/9001academy/blog/2016/10/25/similarities-and-differences-in--risk-management-in-iso-9001-iso-31000-and-iso-27001/
- Artículo - Methodology for ISO 9001 risk analysis: https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
- Curso Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Listing interested parties to employees
Answer:
Unless it is relevant to employee’s performance that affect product or service quality, it is not mandatory. Sometimes it is relevant for the business to communicate and make employees aware that some organizations or partners, although they are not customers they are relevant to the success of the business. If I audited an organization where complaints are being received because employees don’t see how they affect negatively some interested parties I would make an observation or write an improvement opportunity.
The following materials will provide you more information about interested parties:
- Article - Understanding needs & expectations of interested parties in ISO 9001:2015 - https://advisera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
- Article - How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Auditor certification recognized and at own pace
Answer:
Instead of a 5-day course as lead auditor you can enroll at an online course, progress at your own pace, and when you feel ready do an exam recognized internationally. To get external recognition somewhere you will have to do an exam under a recognized brand in order to give credit to your qualifications among those that don’t know you personally.
The following material will provide you information about an online lead auditor course:
- free online training ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/ -
External audit duration and indicators
Answer:
Let us start by the external auditing. I believe you are speaking about “IAF Mandatory Document for Duration of QMS and EMS Audits”. When you look into an organization you ask how many persons effectively work there. The effective number of personnel is used as a basis for the calculation of audit duration. What does “effective person” means? According to the IAF document, “The effective number of personnel consists of all full-time personnel involved within the scope of certification including those working on each shift. Non- permanent (seasonal, temporary, sub-contractors and contracted personnel) and part time personnel who will be present at the time of the audit shall be included in this number.” That means if a hotel is audited during the high season will have more workers and so, the certification audit will take more time. Based on the number of effective persons working in the organization, table from Annex B of the IAF document relates Effective Number of Personnel, Complexity and Audit Duration. For example, an organization with 40 effective persons and medium complexity to audit will take 5.5 audit days. If you have 2 auditors that will take for example an auditor 3.5 days and another auditor 2 days.
About measurement and monitoring, consider indicators related with your environmental management system objectives, with your relevant interested parties perceptions, and your environmental performance.
The following material will provide you information about monitoring and measurent:
- ISO 14001- How to Use Good Environmental Objectives - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-use-good-environmental-objectives/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Benefits of certifying a quality management system
Answer: Implementing a quality management system and certification is not mandatory, there is no universal law requiring that.
However, certain important customers in several economic sectors require that their suppliers get certification. Recently, I learned with a customer that they want to get certification in order to be able to sell to some countries with lower customs duties. For example, in order to sell some construction materials in Europe companies must have products with CE marking and that requires the implementation of some parts of a quality management system.
2. Which one is more important?
Answer:
The answer depends upon each particular situation. If you have customers that demand it, certification is very important. I do not feel comfortable to say that one is more important than another because obtaining the certification implies at the outset to have the quality management system implemented.
3. What's the importance of the ISO certificate if the standards are implemented/complied with?
Answer:
If your organization has a quality management system implemented, getting the certification can be useful in terms of credibility and image and that can be translated in terms of more customers and more opportunities to bid.
The following material will provide you with information about selling the benefits of having a quality management system:
- ISO 9001 – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Scope determination - a management not a technical decision
Hi, did you map your organization (Operations Department) as a set of interrelated processes? With what outside parties do those processes interact? Some of those outside parties will be suppliers, other regulators, other maybe partners. Can any of the remaining outside parties be considered as customers? Unzoom yourself from the detail and answer yourself to the question: Who does my organization (Operations Department) serve?
And if they are insiders, and those whom we serve, in turn, who do they serve?
Follow the mission of your organization, perhaps that can help find one or more groups of customers, internal and external.
Does this help you? Let me know.