Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 map to NIST
Any thoughts or advice would be appreciated including your products or services that would be most helpful, including the below.
https://advisera.com/27001academy/iso-27001-documentation-toolkit/
https://advisera.com/books/iso-27001-annex-controls-plain-english/
https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
Answer:
Considering your demand, I suggest you the ISO 27001 Documentation Toolkit. The templates are almost 80% complete, with comment about hat must be kept and what can be adjusted according your needs.
NIST 800-53 already has a map of its controls to ISO 27001 standard (Annex H), that can help you identify which controls need to be adjusted considering our templates.
NIST CSF and ISO 27001 are closely related, in a sense that they complement each other (CSF provides a structu red framework for controls implementation while ISO 27001 provides a worldwide recognized management framework to ensure the controls pertinence, efficiency and effectiveness), and since CSF controls are mostly based on NIST 880-53 you also can use these to make adjustments on the templates content.
About NYS DFS 500 and GLBA, unfortunately we do not have sufficient information to provide additional guidance.
These article will provide you further explanation about integrating ISO 27001 and NIST practices:
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
- Which one to go with – Cybersecurity Framework or ISO 27001? https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/ -
Exclusions in the scope of the QMS
Answer:
Exclusions doesn´t apply when the standard has been already implemented. In fact one of the first steps when implementing ISO 9001:2015 is determining the scope of the organization and when defining the scope of your QMS you should also determine if any exclusions apply and justify them. For instance, if a company doesn´t do any design work, but it uses designs already given by a customer, you can say that this requirement doesn´t apply to your organization.
These materials can help you to better understand exclusions in the scope of ISO 9001:2015
- Article - What clauses can be excluded in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- Articl e: https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Customer complain log
Answer:
A customer complain log should include the list of complaints received from customers, with its documented response and closure. After receiving a complaint, the organization must evaluate whether the complaint is reasonable or not, and after doing so, the organization will need to suggest a way of resolving the complaint and decide if carrying out a correction or corrective action according to its own organization´s procedure for control of nonconforming product or service.
You can download a free preview of our Registry of Customer Complaints here: https://advisera.com/9001academy/documentation/registry-customer-complaints/
To learn more about customer complaint registers, see these materials:
- Article - Main elements handling customer satisfaction in ISO 9001: https://advisera.com/9001academy/blog/2014/07/01/main-elements-handling-customer-satisfaction-iso-9001/
- Article - Handling customer satisfaction with code of conduct and co mplaints procedure: https://advisera.com/9001academy/blog/2014/07/15/handling-customer-satisfaction-code-conduct-complaints-procedure/
- Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Creación, revisión y aprobación de documentos
Respuesta:
Efectivamente deberían de ser 3 personas distintas:
- El que elabora el documento: normalmente se trata de un experto en el proceso correspondiente y con conocimientos sobre cómo documentarlo según lo establecido por la organización.
- El que revisa el documento: suele ser un experto en el proceso con las competencias necesarias para poder asegurar los niveles adecuados de calidad del documento con respecto a los procesos y actividades que se pretenden documentar.
- El que aprueba el documento: la persona con máxima autoridad en el proceso, que normalmente designa tanto al creador del documento como al revisor del mismo.
Para saber más sobre la creación, revisión y aprobación de documentos vea los siguientes materiales:
- Artículo - Tips to make document control more useful for your QMS: https://advisera.com/9001academy/ academy/blog/2014/05/20/tips-make-document-control-useful-qms/
- Artículo - 7 steps in writing QMS policies and procedures for ISO 9001: https://advisera.com/9001academy/blog/2015/03/10/7-steps-in-writing-qms-policies-and-procedures-for-iso-9001/
- Libro - Gestión de documentación ISO: Una guía en un lenguaje sencillo: https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/
- Curso Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
External documents control
Yes, ISO 9001:2015 clause 7.5.3.2 mention documents of external origin, like standards and legislation, that are relevant to the quality management system (QMS). Does your organization belong to any business association? Some business associations perform that service of legislation surveillance. Some lawyer societies also perform that service. Or your QMS can have someone with the responsibility to checking any changes in legislation every X month.
The following material will provide you information about document control:
- ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Cou rse - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Asset management, IT and ISO 9001
Yes, asset management should be part of a QMS audit in an IT environment, of course not so demanding as an audit according to ISO 55001. Asset management is relevant for risks and opportunities determination, and for available capacity and productivity.
The following material will provide you more information:
- How to handle Asset register (Asset inventory) according to ISO 27001 - https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 22301 certification
Answer:
As worldwide references for ISO 22301 personal certification we can mention:
- BSI: https://www.bsigroup.com/en-GB/iso-22301-business-continuity/iso-22301-training-courses/
- PECB: https://pecb.com/en/education-and-certification-for-individuals/iso-22301
From these sites you can find the location that is closer to you. -
Acción de mejora y mejora continua
Respuesta:
Una acción demora es una medida tomada para optimizar el rendimiento de los procesos dentro de la organización. Esta acción de mejora no tiene porqué ser exclusivamente una respuesta ante una situación negativa, sino que simplemente se lleve a cabo con el fin de obtener consecuencias positivas.
A su vez, estas acciones de mejora contribuyen al objetivo de la mejora continua del SGC, que es incrementar la satisfacción del cliente y de las partes interesadas. Esto se refleja en la cláusula 10.3 de la norma ISO 9001:2015 que requiere que las organizaciones mejoren de forma continua la efectividad de la documentación y los procesos del sistema de gestión de calidad. Esta mejora continua se basa en el ciclo PDCA, por sus siglas en inglés, de planificar, hacer, revisar y actuar.
Estos materiales pueden ayudarle a entender más la diferencia entre acción de mejora y mejora continua:
- Planificar, hacer, revisar, actuar en el estándar 9001: https://advisera.com/9001academy/pt-br/knowledgebase/planificar-hacer-revisar-actuar-en-el-estandar-iso-9001/
- Libro - Discover ISO through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Direct marketing to US companies under GDPR
The key here is to perform a Legitimate Interest Balancing Test and you should balance your interest in sending advertisement and the right to privacy of the affected data subjects. One of the key points is to be able to prove that the advertisement would be relevant to the data subjects. For example, if you are a company selling raw materials such as coal, you won’t be able to justify sending advertisement emails to a software company representative.
You can find some information on performing Legitimate Interest Balancing Test on the ICO website here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/ -
QMS set up for manufacture of medical device
I want advice on setting up QMS. This is the scenario:
Company A: Has a ISO 13485 QMS for 'Design, Development and Manufacture of patient monitoring device'. Manufacture under non sterile conditions.
Company B: Wishes to set up manufacturing of wound care products. Manufacturing in ISO 7 (Class 10,000) clean room. Is it better (more economical, faster, and less cumbersome viz., documentation) to a. Get a separate certification for Company B or b. Outsource manufacturing for Company A to Company B and have the Scope for Company A's QMS modified.
Answer:
You should set up a separate QMS for Company B since the type of medical devices and scopes of the companies are entirely different.
Please refer to more information:
How to structure Quality Management System documentation according to ISO 13485
https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/
Managing medical device infrastructure requirements according to ISO 13485:2016
https://advisera.com/13485academy/blog/2017/06/28/managing-medical-device-infrastructure-requirements-according-to-iso-13485/