Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Some IMS questions

    1. As company IMS is integrated management system and also ISO (9001-2015, 14001-2015, 45001-2018) has same clauses now so, Is it ok if company IMS and ISO clause numbers doesn't match?
    2. Can the clauses in IMS be more than ISO standards in subject i.e 10 clauses.
    3. They have created HSE manual and IMS manual separate, Can it be like that? and HSE manual has totally different clauses than ISO 45001-2018.
    4. I am having problem in judging CTO log OR COTO log. Can you please guide me on this ? because they made it totally wrong for Construction Industry. And also guide the frequency of updating this log.

    Answer:

    Regarding questions 1 and 2 - It is fine as long as you comply with the standards requirements. ISO doesn´t prescribe anything in relation with the organization of the standards implementation.

    These articles can help you with the integration of the standards:
    - How to integrate ISO 45001 with ISO 9001 and ISO 14001: https://advisera.com/45001academy/blog/2018/09/12/how-to-integrate-iso-45001-with-iso-9001-and-iso-14001/
    - White paper - How to integrate 2015 revisions of ISO 9001 and ISO 14001: https://info.advisera.com/9001academy/free-download/how-to-integrate-2015-revisions-of-iso-9001-and-iso-14001

    Same thing occurs for the manuals. As you already may know, manuals are not mandatory anymore in the new versions of the ISOs so you can decide to have different manuals for different ISOs. This is completely up to the organization. However,if you have an IMS Manual which integrates the 3 ISOs and another manual just for HSE, I don´t think it makes much sense since you would be covering the same requirements in 2 different manuals.

    Here you can read some articles related to the manuals:
    - The future of the quality manual in ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
    - Writing a short quality manual: https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/
    - What is an environmental management system manual?: https://advisera.com/14001academy/knowledgebase/what-is-an-environmental-management-system-manual/

    Regarding the question 4, I guess this is referred to the Context of the Organization Log. I recommend you to organize a meeting with the relevant people of your organization, and conduct a SWOT analysis in order to determine the context of your organization.

    You can read the following articles regarding the context of the organization to learn more about it:
    - How to identify the context of the organization in ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
    - ISO 9001:2015 case study: context of the organization as a success factor in manufacturing company: https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
    - Determining the context of the organization in ISO 14001: https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/

    With respect to the frequency, it is up to the organization. You can consider to review the context, for example, every year unless there are major changes for instance, a new product will be launched in your organization or your organization opens a branch in a totally different new location.

  • Document for clause 4.2


    Answer:

    You can download a free-preview of the following documents related to the identification of the needs and expectations to the interested parties:
    - Procedure for determining context of the organization and interested parties: https://advisera.com/9001academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/
    - Template - List of interested partieshttps://advisera.com/9001academy/documentation/list-of-interested-parties/

    These materials can help you to understand the needs and expectations of the interested parties:
    - Article - Understanding needs and expectations of interested parties in ISO 9001:2015: https://advisera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
    - Article: How to determine interested parties according to ISO 9001:2015: https://adviser a.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
    - Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free on-line ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/

  • Compliance with ISO 13485 or GMP for Class III device


    Answer:

    It should have a Quality Management System in place to meet the demand of ISO 13485 for CE marking in Europe by the notified body.

    For more information, please refer to :

    How to use ISO 13485 to get your devices approved for CE Marking
    https://advisera.com/13485academy/blog/2017/10/12/how-to-use-iso-13485-to-get-your-devices-approved-for-ce-marking/

  • AS9100 vs AS9110 requirements


    Answer:
    AS9110 is the Quality Management System Requirements for Aviation Maintenance Organizations, and as such has requirements based on ISO 9001:2015 for aircraft maintenance and overhaul companies only. So, unless the company you are talking to does exclusively aircraft component maintenance and overhaul (such as aircraft motors), then the AS9110 standard would not apply to their business. Even AS9120, Quality Management System Requirements for Aviation, Space and Defense Distributors only has a limited use for companies that only buy parts and then resell them while performing no added value activities. Whereas, AS9100 is designed for any organization in the Aviation, Space and Defense industry which would include companies that, although not OEMs, take other parts and perform value added activities on them for their customers.
    For more on what is contained in AS9100 see our clause-by-clause explanation of AS9100 Rev D whitepaper: https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d

  • Auditing the context of an organization

    Answer:
    You can ask questions based in ISO 9001:2015 and questions based on the procedure content. For example, based on the standard you can ask things like: What can you tell me about the context of our company? Did the company determined internal and external issues? What did the company with those determined internal and external issues? How are internal and external issues monitored? And when relevant changes occur how are they communicated to top management?

    The following material will provide you information about developing checklists:
    - ISO 9001 – How to create a checklist for an ISO 9001 internal audit for your QMS - https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/
    - free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ nternal-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Risk assessment

    1. We are a small company, the CIO (me) will be the risk owner for all assets, is that a problem?

    Answer: ISO 27001 does not define who must be the risk owner, so a single person can be the owner of all risks. The choice of the risk owner should consider the capability to make decisions about treating the risks and that the quantity of risks do not become excessive to be managed.

    For more information, see: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

    2. Do I have to include also the private phones of our employees (their mailbox is configured on it and an app for 2 factor authentication)

    Answer: If the organization does allow employees to use their own devices to access information included in the ISMS scope, then these personal devices should be included in the risk assessment.

    For more information, see: How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advi sera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

    3. Do I have to include also the private PC of laptop that they use at home to connect via VPN to an online workplace where the can work from home?

    Answer: Like the previous answer, if the organization does allow employees to use their own devices to access information included in the ISMS scope, then these personal devices should be included in the risk assessment.

    For more information, see:How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/

  • Toolkit content


    Answer: ISO 27001 does not require documents specific for control from section A.6, but these following templates in your toolkit cover controls from this section:
    - Bring Your Own Device (BYOD) Policy (covers controls A.6.2.1 and A.6.2.2)
    - Mobile Device and Teleworking Policy (covers control A.6.2)
    - Acceptable Use Policy (covers controls A.6.2.1 and A.6.2.2)

    2. Also, A.12 Operations security should include all below, but I can see only 3 controls ? Could you please let me know how to address this, please ?
    1. Operational procedures and responsibilities
    2. Protection from malware
    3. Backup
    4. Logging and monitoring
    5. Control of operational software
    6. Technical vulnerability management
    7. Information systems audit considerations

    Answer: These controls are covered by the following templates:
    1. Operational procedures and responsibilities: Operating Procedures for Information and Communication Technology
    2. Protection from malware: Acceptable Use Policy
    3. Backup: Operating Procedures for Information and Communication Technology, Backup Policy, and Acceptable Use Policy
    4. Logging and monitoring: Operating Procedures for Information and Communication Technology
    5. Control of operational software: Acceptable Use Policy
    6. Technical vulnerability management: Acceptable Use Policy
    7. Information systems audit considerations: Internal Audit Procedure

    ISO 27001 does not require each control in Annex A to be documented. Our toolkits focus on small and mid-size companies, and that's the reason why we do not write documents to cover each control – for those companies this large number of documents would result in an overkill for many of them. Instead of that a single template may cover multiple controls.

    In the root folder of the toolkit you'll find a document called “List of Documents” that explains which control is covered by which document.

  • Deletion request


    Answer:

    The right to be forgotten established under the EU GDPR is not an absolute right.

    You must comply with a deletion request where:

    - the individual has objected to the processing and (other than in relation to objections to direct marketing) there are - - no overriding legitimate grounds to justify that processing;
    - the personal data is no longer needed for the purpose for which it was collected or processed;
    - the individual withdraws consent and there are no other grounds for the processing;
    - the personal data is unlawfully processed;
    - there is a legal obligation under Union or Member State law to erase the personal data; or
    - personal data was processed in connection with an online service offered to a child.

    You do not need to comply if the processing is:

    - necessary for rights of freedom of expression or information;
    - for compliance with a legal obligation under Union or Member State law;
    - in the public interest or carried out by an official authority;
    - for public interest in the area of public health;
    - for archiving or research; or
    - for legal claims.

  • Supplier evaluation

    Answer
    It is your company that has the authority to decide if all raw material manufacturers need to be audited or not. ISO 9001:2015 does not oblige to use audits to qualify suppliers.

    “Manufacturer have an ISO 9001-2015 standard is this enough? (please do consider that: raw material provider has a ISO 9001-2015 standard and also we perform initial laboratory control all provided raw material).”
    Answer
    Again, it is your company that has the authority to decide the initial qualification criteria for suppliers.

    “According to ISO 9001:2008 clause 7.4.1, it was required to keep records of the criteria for selection, evaluation and re-evaluation of the suppliers but this requirement was ch anged ISO 9001-2015 and wide is expanded. In ISO 9001:2008, the organization needed to ensure the purchased product met specified purchase requirements. In ISO 9001:2015, the verification needs to ensure "the externally provided processes, products and services meet requirements. (is this mean every provider shall be in site audit?)”
    Answer
    It means that organizations should decide which products, services or subcontracting are relevant enough to the conformity or products or services provided by the organization. For those considered to be relevant, organizations should plan how they will control if specified purchase requirements are being met. Site audit is just one of the possibilities, others are internal lab quality control, supplier quality control, third party quality control

    The following material will provide you information about purchasing:
    - ISO 9001 – How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
    - free online training ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Audit preparation


    Answer:
    Before auditing, an auditor should prepare a checklist to help him or her to perform the audit. If an auditor has no previous access to company documentation, he or her can prepare the checklist based of the reference standard. So, an auditor goes to the audit with at least a checklist based on ISO 9001:2015. If the auditor has one hour, before starting the audit, to go through the company documentation, he or she can use that possibility to pinpoint specific documents used to comply with the reference standard.

    The following material will provide you information about auditing:

    - ISO 9001 – How to create a checklist for an ISO 9001 internal audit for your QMS - https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/
    - ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
    - free online training ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 657-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +