Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
SoA changes
If an external auditor reveals any changes to the SoA during e.g. a surveillance audit, the certification will not be valid and a new certification process needs to be stated since the scope has changed. My understanding that an SOA is a working document that should be updated as needed as the business changes. Can you let me know which is correct and point to reference material that describes this?
Answer:
Your understanding about SoA is correct. This is a living document that must be updated as needed. Sometimes this need to update is to reflect changes in risks not necessarily related to changes in the scope. In this case you have to record the decision made to update the SoA, and related information (e.g., update the risk assessment regarding the new risks). During a surveillance audit, the auditor will verify if the change in the SoA was done according the standard requirements and implemented documentation.
When changes in the SoA are in fact related to changes in the scope, besides the previous mentioned steps, you have to communicate this situation to your certification body so you can define how to approach this situation, because the certification scope will have to be updated. In some cases this will require an immediate surveillance audit, but in most cases this can be verified on the next external audit. For the additional scope you have to ensure the same steps taken that were performed to implement the ISMS.
This article will provide you further explanation about SoA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Controlled vs. uncontrolled copies of IMS documents
Answer:
Basically you have two options:
- Provide controlled IMS documents only in electronic format and printed copies for uncontrolled documents
- Provide controlled copies for all IMS documents
In the first case you can state that IMS documents are uncontrolled in hard copy, so the contents are for reference only. This means that the information on the document is just valid at the moment of issuance and the who issued the hard copy is not reponsible for any change made to the document.
These materials can help you to learn more about document control in IMS:
- Article - New approach to document and record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Article - A new approach to documented information in ISO 14001:2015: https://advisera.com/14001academy/blog/2015/08/24/a-new-approach-to-documented-information-in-iso-140012015/
- Book - Managing ISO documentation: a plain English guide: https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- ISO 9001 Lead Implementer Course: https://advisera.com/training/iso-9001-lead-implementer-course/ -
Acceptable use policy
Answer:
For this type of situation, I suggest you to take a look at the free demo of our Acceptable Use Policy at this link: https://advisera.com/27001academy/documentation/it-security-policy/
With this policy you can define clear rules for the use of the information system and other information assets and services like instant messaging/videoconferencing. -
ISO and PCI-DSS Assessor
Answer:
First it is important to understand that ISO lead auditor certification and PCI-DSS assessor certification go through different paths.
To become an ISO lead auditor you have to attend a Lead Auditor course about the standard you want to work on (e.g., ISO 27001 lead auditor course, ISO 9001 lead auditor course, etc.), be approved in an exam, and gain experience in auditing for a certification body.
For more information, see:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- To become a PCI-DSS assessor, please see: https://www.pcisecuritystandards.org/program_training_and_qualification/qsa_certification -
Defining good quality objectives
Answer:
The Quality Objectives derive from the Quality Policy. Good Quality Objectives derive from a good Quality Policy. A good Quality Policy takes into account the purpose and context of an organization and highlights the vectors in which an organization has to exceed to follow its strategic orientation. Those vectors written in the Quality Policy, however well-intentioned they may be, are simply written words, to be easy to monitor and evaluate the effectiveness of what is being done, it is essential to translate those words into performance challenges: The Quality Objectives. For example, if an organization competes on price, Quality Objectives should include challenges related with costs, with defects and with on-time delivery. But for an organization that competes on innovation, Quality Objectives should include challenges related with product performance, with time to market, with brand awareness.
The following material will provide you information about Quality Objectives:
- ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- What has changed with quality objectives in ISO 9001:2015? - https://advisera.com/9001academy/blog/2018/05/08/what-has-changed-with-quality-objectives-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Starting ISO 9001:2015 project
Answer:
Firstly of all you need to make sure top management is involved in the project, this is very important since there are many requirements for management in ISO 9001:2015 but also because they will need to provide the necessary resources for the implementation of the QMS.
Secondly you should learn the different requirements of the standard. This white paper can help you to understand the different clauses of ISO 9001 - Clause by clause explanation of ISO 9001:2015 : https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015
After you can conduct a GAP analysis to know which requirements your company needs to comply with and which ones is already compliant. You can use this free tool - ISO 9001 GAP ana lysis tool: https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
Then you can write a Project Plan, this is not something mandatory in the standard but will help the company to establish responsibilities, milestones, etc. This white paper can help you to write a project plan - Project Plan for ISO 9001 implementation: https://info.advisera.com/9001academy/free-download/project-plan-for-iso-9001-implementation-ms-word
Then you can start implementing every clause of the standard from writing the policies until management review.
These materials can also help you to begin with the implementation of ISO 9001:2015:
- ISO 9001 Lead Implementer Course: https://advisera.com/training/iso-9001-lead-implementer-course/
- Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Information security organization
Answer:
ISO 27001 does not prescribe how an organization should implement its information security structure, so organizations are free to develop the frameworks that most suit them, e.g.:
- Create specific roles to handle information security functions (e.g., security analyst to perform security requirements identification, an incident manager to handle incidents, etc.)
- Designate information security functions to already existing roles (e.g., Quality manager to assume the information security management reporting to top management, an IT analyst to handle incidents, etc.)
Criteria to decide which roles create or accumulate security function may be related to the size of the organization, available resources, legal requirements, etc.
This article will provide you further explanation about information security organization:
- Where does information security fit into a company? https://advisera.com/27001academy/blog/2016/10/24/where-does-information-security-fit-into-a-company/
These materials will also help you regarding information security organization:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Internal auditors selection
The conflict can be as Risk function is also seen as SME on the project - I don't know how easy it will be to portray the picture in front of audit that risk function is not a consultant here but only a compliance matter job. Any perspective you can please share with me?
Answer:
Before answering your question let me show you my understanding of your scenario:
Lines of defense:
1st - front-line employees with their roles and responsibilities with regards to their activities and applied internal controls and other risk responses.
2nd - organization’s compliance and risk functions providing independent oversight of the risk management activities of the first line of defense.
3rd - internal and external auditors who report independently to the senior management.
SME = Subject Matter Expert
Considering these information, there could be a confli ct of interest if the same person does risk assessment and internal audit (an auditor cannot audit his own work). In this case, this involves if this person is not doing the risk assessment according to the methodology, and if this job is not taking into account all the reasonable threats and vulnerabilities.
Regarding other organization's processes, as long as you can evidence that the internal audit is performed in an unbiased and independent way, and that there is no conflict of interest between the audited processes and the audit team, there is no problem if someone performing a compliance or risk function performs the internal audit, even if he is not part of the organization (in this scenario the SME would be acting as a second party auditor, which will not interfere on your certification process).
These articles will provide you further explanation about internal audits:
- Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
- First-, Second- & Third-Party Audits, what are the differences? https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/ -
Outsourced process?
Answer:
An organization can purchase a product (a raw material, for example), a service or an outsourced process. Normally, calibration is not considered an outsourced process, unless the certification scope is providing calibration services. Please check clauses 8.4.1 a) b) and c) about what is mandatory to include. Plating can be considered an outsourced process if it is carried out following the decision of the organization.
The following material will provide you information about outsourced processes:
- ISO 9001 – How to control outsourced processes using ISO 9001 - https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
- free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Compliance with special characteristics
Answer:
Design and development is by the rule the most complex part of IATF and similar standards like ISO 9001. In requirement 8.3.3.3 standard is referring to special characteristics that can be defined by the customer or by the organization.
Most important part is that all special characteristics (product/process) must be thoroughly documented and marked on drawings (if required), risk analyses (FMEA), control plans and work instructions.
Also, the request is that a conversion table of internal definitions and symbols and symbols to the definitions and symbols defined by the customer must be submitted to the customer on request.
That basically means that all symbols and internal de finitions in conversion tables that organization is using must be submitted to the customer on their request. This is important for the mitigation of risk that an organization is using a different conversion table. It can be a case if, for example, OEM is from Europe and supplier is from the USA or vice versa.
If you would like to found out more about FMEA please see: What is FMEA, and how to apply it in IATF 16949 https://advisera.com/16949academy/blog/2017/09/06/what-is-fmea-and-how-to-apply-it-in-iatf-16949/
We would, also, like to suggest the following material Procedure for Design and Development: https://advisera.com/16949academy/documentation/procedure-for-design-and-development/