Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Internal auditors selection
The conflict can be as Risk function is also seen as SME on the project - I don't know how easy it will be to portray the picture in front of audit that risk function is not a consultant here but only a compliance matter job. Any perspective you can please share with me?
Answer:
Before answering your question let me show you my understanding of your scenario:
Lines of defense:
1st - front-line employees with their roles and responsibilities with regards to their activities and applied internal controls and other risk responses.
2nd - organization’s compliance and risk functions providing independent oversight of the risk management activities of the first line of defense.
3rd - internal and external auditors who report independently to the senior management.
SME = Subject Matter Expert
Considering these information, there could be a confli ct of interest if the same person does risk assessment and internal audit (an auditor cannot audit his own work). In this case, this involves if this person is not doing the risk assessment according to the methodology, and if this job is not taking into account all the reasonable threats and vulnerabilities.
Regarding other organization's processes, as long as you can evidence that the internal audit is performed in an unbiased and independent way, and that there is no conflict of interest between the audited processes and the audit team, there is no problem if someone performing a compliance or risk function performs the internal audit, even if he is not part of the organization (in this scenario the SME would be acting as a second party auditor, which will not interfere on your certification process).
These articles will provide you further explanation about internal audits:
- Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
- First-, Second- & Third-Party Audits, what are the differences? https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/ -
Outsourced process?
Answer:
An organization can purchase a product (a raw material, for example), a service or an outsourced process. Normally, calibration is not considered an outsourced process, unless the certification scope is providing calibration services. Please check clauses 8.4.1 a) b) and c) about what is mandatory to include. Plating can be considered an outsourced process if it is carried out following the decision of the organization.
The following material will provide you information about outsourced processes:
- ISO 9001 – How to control outsourced processes using ISO 9001 - https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
- free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Compliance with special characteristics
Answer:
Design and development is by the rule the most complex part of IATF and similar standards like ISO 9001. In requirement 8.3.3.3 standard is referring to special characteristics that can be defined by the customer or by the organization.
Most important part is that all special characteristics (product/process) must be thoroughly documented and marked on drawings (if required), risk analyses (FMEA), control plans and work instructions.
Also, the request is that a conversion table of internal definitions and symbols and symbols to the definitions and symbols defined by the customer must be submitted to the customer on request.
That basically means that all symbols and internal de finitions in conversion tables that organization is using must be submitted to the customer on their request. This is important for the mitigation of risk that an organization is using a different conversion table. It can be a case if, for example, OEM is from Europe and supplier is from the USA or vice versa.
If you would like to found out more about FMEA please see: What is FMEA, and how to apply it in IATF 16949 https://advisera.com/16949academy/blog/2017/09/06/what-is-fmea-and-how-to-apply-it-in-iatf-16949/
We would, also, like to suggest the following material Procedure for Design and Development: https://advisera.com/16949academy/documentation/procedure-for-design-and-development/ -
Audit observations
Answer:
I have one problem with your question: What is an audit observation? ISO 19011:2018 does not define what is an audit observation. So, I would ask your certification body how do they define audit observation and what kind of answer do they request, or not. For example, I am reading a certification body audit report where they include this statement in the audit report template: “The Observations are formulated with the purpose of improving the Management System and its effectiveness; do not require a response or notification from the Organization; and will be subject to re-evaluation in the next audit.”
The following material will provide you information about audits:
- ISO 9001 – How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
- free online tra ining ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 9001 and restaurant
Answer:
If you believe you need ISO 9001 certification, perhaps you could benefit from attending a course about ISO 9001:2015 content, another about implementing a quality management system, and another one about performing internal audits. In my experience with hotels with restaurants, they look for kitchen consistency independently of the shift working.
The following material will provide you information about attending free courses:
- ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/ -
Filling toolkit templates
Answer:
Labeling can be adapted to organization needs, so you can remove it, but you have to consider that without label the risks may increase, because it will be more difficult for people to identify the sensitivity of information and how to handle them properly. An alternative may be to have only two classification levels and label only the most sensitive information. This way you will reduce the need to label information.
For more information, see: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
2. About document “A.9 access control “ in 08 annex A, can you guide us how to fill user profile section?
Answer:
Here is an example for user profile:
Name of system: Payroll module
User rights: Include records and edit records
Job titles have access rights according to this profile:
• Payroll analyst
Name of system: Payroll module
User rights: Delete records
Job titles have access rights according to this profile:
• Payroll manager
Name of system: Payroll module
User rights: View records
Job titles have access rights according to this profile:
• All employees
Network: Internal network
User rights: Upload and download files
Job titles have access rights according to this profile:
• All employees -
ISO 9001 in hospitals
Answer:
Several studies published in technical magazines show that quality management system implementation, according to the ISO 9001 standard, is useful for the hospitals as it can help to improve the operational efficiencies, to reduce errors, increase patient safety and develop a more preventive approach instead of a reactive environment. Perhaps you can develop a value proposition around these topics:
The following material will provide you more information about ISO 9001 implementation in hospitals:
- ISO 9001 – Would hospitals benefit from ISO 9001? - https://advisera.com/9001academy/blog/2015/07/21/would-hospitals-benefit-from-iso-9001/ ls-benefit-from-iso-9001/
- free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 9001 implementation
Answer:
Three topics: knowledge of ISO 9001, project management skills and leadership skills.
There is no mandatory requirements concerning a particular function in an organization. Anyone can lead an ISO 9001 implementation project as long as he or she have:
- knowledge of ISO 9001 in order to understand what is at stake about each clause;
- project management skills in order to be able to plan, monitor and control a project involving different people with different priorities and motivations, together with scarce resources;
- leadership skills in order to be able to overcome barriers, to handle conflicts, to get resources and get top management attention. The need for these particular skills can be balanced with the existence of a Project Sponsor, someone not directly involved in the project but with authority and influence within the organization that can help the the Project Manager.
The following material will provide you information abo ut implementing ISO 9001:
- ISO 9001 – Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- Project Plan for ISO 9001 implementation - https://info.advisera.com/9001academy/free-download/project-plan-for-iso-9001-implementation-ms-word
- free online training ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Risk assessment and information security audit
Answer: The information security risk assessment is about how to identify, analyse and evaluate risks, while the information security audit is about evaluation by which degree requirements are being fulfilled.
The information security audit is one of the means to assess if the information security risk assessment and risk treatment were performed as required (considering the ISO 27001 standard and other non-standard related requirements), and if its results (prioritized risks and implemented treatments) are achieving the expected results regarding the information security and business objectives.
For more information, please read: Risk assessment vs. internal audit in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/12/08/risk-assessment-vs-internal-audit-in-iso-27001-and-iso-22301/
2. What are an advantage and a disadvantage of an external as compared to an internal audit?
Answer: Second party audits (audits performed by ext ernal personnel with non certification purposes) can bring more expertise and unbiased view for the audit process than internal audits, but on the other hand they are more expensive and the lack of internal specific knowledge may let the external auditors miss situations that are clear for internal auditors.
Third party audits (audits performed by certification bodies with certification purposes) can bring independent and word wide recognized confidence that organization fulfils the standard requirements (through certification issuing), which internal audits cannot provide, but it involves costs for certification maintenance.
These articles will provide you further explanation about types of audits:
- First-, Second- & Third-Party Audits, what are the differences? https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/
- Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/ -
Risk assessment
Answer:
In Advisera's toolkit you purchased you have all templates you need to perform risk assessment according ISO 27001. They are located in folder 05 Risk Assessment and Risk Treatment Methodology:
- Risk_Assessment_and_Risk_Treatment_Methodology
- Appendix_1_Risk_Assessment_Table
- Appendix_2_Risk_Treatment_Table
- Appendix_3_Risk_Assessment_and_Risk_Treatment_Report
Also included in your toolkit you have access to video tutorials that can help you fill in the templates, with real data, and provide training for your team.