Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Responsibility of the CEO for management review minutes


    Answer:

    Section 4.4 of the Information Security Policy speaks about the responsibility of the CEO (or other member of the top management) to prepare minutes of the management review meeting.

    You can find the template of Management review minutes in the folder 11 of your ISO 27001 Toolkit; by the way, these minutes are a mandatory document.

  • Management representative in ISO 9001:2015


    Answer:

    You are correct, the management representative is not mandatory anymore in the new version of the standard ISO 9001:2015. However, if your organization considers this position valuable and worthwhile you can still keep it.

    These are usually the responsibilities of a management representative:
    - Process maintenance of the QMS
    - Reporting on the performance of the QMS
    - Customer requirements promotion
    - Liaison with external parties

    The management representative should be the person within your company that best suits all the above job responsibilities ensuring that the implementation and maintenance of the quality management system becomes a success.

    This materials can help you to better understand the role of the management representative:

    - Article - What will be the destiny of the management representative in the new ISO 9001:2015: https://adv isera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
    - Article - Choosing the best person for the job quality management representative: https://advisera.com/9001academy/blog/2014/06/03/choosing-best-person-job-quality-management-representative/
    - Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/

  • Certification after a NC


    Answer:

    The certificate will be issued when the nonconformity has been corrected and this has been verified by an auditor.

    For more information about nonconformities in ISO 9001:2015 see:
    - Article - How to write a good ISO 9001 nonconformity: https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
    - Article - How to deal with nonconformities in an ISO 9001 certification audit: https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
    - Free on-line ISO 9001: 2015 Foundations course: https://advisera.com/training/iso-14001-internal-auditor-course/ ourse/
    - Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Some IMS questions

    1. As company IMS is integrated management system and also ISO (9001-2015, 14001-2015, 45001-2018) has same clauses now so, Is it ok if company IMS and ISO clause numbers doesn't match?
    2. Can the clauses in IMS be more than ISO standards in subject i.e 10 clauses.
    3. They have created HSE manual and IMS manual separate, Can it be like that? and HSE manual has totally different clauses than ISO 45001-2018.
    4. I am having problem in judging CTO log OR COTO log. Can you please guide me on this ? because they made it totally wrong for Construction Industry. And also guide the frequency of updating this log.

    Answer:

    Regarding questions 1 and 2 - It is fine as long as you comply with the standards requirements. ISO doesn´t prescribe anything in relation with the organization of the standards implementation.

    These articles can help you with the integration of the standards:
    - How to integrate ISO 45001 with ISO 9001 and ISO 14001: https://advisera.com/45001academy/blog/2018/09/12/how-to-integrate-iso-45001-with-iso-9001-and-iso-14001/
    - White paper - How to integrate 2015 revisions of ISO 9001 and ISO 14001: https://info.advisera.com/9001academy/free-download/how-to-integrate-2015-revisions-of-iso-9001-and-iso-14001

    Same thing occurs for the manuals. As you already may know, manuals are not mandatory anymore in the new versions of the ISOs so you can decide to have different manuals for different ISOs. This is completely up to the organization. However,if you have an IMS Manual which integrates the 3 ISOs and another manual just for HSE, I don´t think it makes much sense since you would be covering the same requirements in 2 different manuals.

    Here you can read some articles related to the manuals:
    - The future of the quality manual in ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
    - Writing a short quality manual: https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/
    - What is an environmental management system manual?: https://advisera.com/14001academy/knowledgebase/what-is-an-environmental-management-system-manual/

    Regarding the question 4, I guess this is referred to the Context of the Organization Log. I recommend you to organize a meeting with the relevant people of your organization, and conduct a SWOT analysis in order to determine the context of your organization.

    You can read the following articles regarding the context of the organization to learn more about it:
    - How to identify the context of the organization in ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
    - ISO 9001:2015 case study: context of the organization as a success factor in manufacturing company: https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
    - Determining the context of the organization in ISO 14001: https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/

    With respect to the frequency, it is up to the organization. You can consider to review the context, for example, every year unless there are major changes for instance, a new product will be launched in your organization or your organization opens a branch in a totally different new location.

  • Document for clause 4.2


    Answer:

    You can download a free-preview of the following documents related to the identification of the needs and expectations to the interested parties:
    - Procedure for determining context of the organization and interested parties: https://advisera.com/9001academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/
    - Template - List of interested partieshttps://advisera.com/9001academy/documentation/list-of-interested-parties/

    These materials can help you to understand the needs and expectations of the interested parties:
    - Article - Understanding needs and expectations of interested parties in ISO 9001:2015: https://advisera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
    - Article: How to determine interested parties according to ISO 9001:2015: https://adviser a.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
    - Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free on-line ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/

  • Compliance with ISO 13485 or GMP for Class III device


    Answer:

    It should have a Quality Management System in place to meet the demand of ISO 13485 for CE marking in Europe by the notified body.

    For more information, please refer to :

    How to use ISO 13485 to get your devices approved for CE Marking
    https://advisera.com/13485academy/blog/2017/10/12/how-to-use-iso-13485-to-get-your-devices-approved-for-ce-marking/

  • AS9100 vs AS9110 requirements


    Answer:
    AS9110 is the Quality Management System Requirements for Aviation Maintenance Organizations, and as such has requirements based on ISO 9001:2015 for aircraft maintenance and overhaul companies only. So, unless the company you are talking to does exclusively aircraft component maintenance and overhaul (such as aircraft motors), then the AS9110 standard would not apply to their business. Even AS9120, Quality Management System Requirements for Aviation, Space and Defense Distributors only has a limited use for companies that only buy parts and then resell them while performing no added value activities. Whereas, AS9100 is designed for any organization in the Aviation, Space and Defense industry which would include companies that, although not OEMs, take other parts and perform value added activities on them for their customers.
    For more on what is contained in AS9100 see our clause-by-clause explanation of AS9100 Rev D whitepaper: https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d

  • Auditing the context of an organization

    Answer:
    You can ask questions based in ISO 9001:2015 and questions based on the procedure content. For example, based on the standard you can ask things like: What can you tell me about the context of our company? Did the company determined internal and external issues? What did the company with those determined internal and external issues? How are internal and external issues monitored? And when relevant changes occur how are they communicated to top management?

    The following material will provide you information about developing checklists:
    - ISO 9001 – How to create a checklist for an ISO 9001 internal audit for your QMS - https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/
    - free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ nternal-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Risk assessment

    1. We are a small company, the CIO (me) will be the risk owner for all assets, is that a problem?

    Answer: ISO 27001 does not define who must be the risk owner, so a single person can be the owner of all risks. The choice of the risk owner should consider the capability to make decisions about treating the risks and that the quantity of risks do not become excessive to be managed.

    For more information, see: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

    2. Do I have to include also the private phones of our employees (their mailbox is configured on it and an app for 2 factor authentication)

    Answer: If the organization does allow employees to use their own devices to access information included in the ISMS scope, then these personal devices should be included in the risk assessment.

    For more information, see: How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advi sera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

    3. Do I have to include also the private PC of laptop that they use at home to connect via VPN to an online workplace where the can work from home?

    Answer: Like the previous answer, if the organization does allow employees to use their own devices to access information included in the ISMS scope, then these personal devices should be included in the risk assessment.

    For more information, see:How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/

  • Toolkit content


    Answer: ISO 27001 does not require documents specific for control from section A.6, but these following templates in your toolkit cover controls from this section:
    - Bring Your Own Device (BYOD) Policy (covers controls A.6.2.1 and A.6.2.2)
    - Mobile Device and Teleworking Policy (covers control A.6.2)
    - Acceptable Use Policy (covers controls A.6.2.1 and A.6.2.2)

    2. Also, A.12 Operations security should include all below, but I can see only 3 controls ? Could you please let me know how to address this, please ?
    1. Operational procedures and responsibilities
    2. Protection from malware
    3. Backup
    4. Logging and monitoring
    5. Control of operational software
    6. Technical vulnerability management
    7. Information systems audit considerations

    Answer: These controls are covered by the following templates:
    1. Operational procedures and responsibilities: Operating Procedures for Information and Communication Technology
    2. Protection from malware: Acceptable Use Policy
    3. Backup: Operating Procedures for Information and Communication Technology, Backup Policy, and Acceptable Use Policy
    4. Logging and monitoring: Operating Procedures for Information and Communication Technology
    5. Control of operational software: Acceptable Use Policy
    6. Technical vulnerability management: Acceptable Use Policy
    7. Information systems audit considerations: Internal Audit Procedure

    ISO 27001 does not require each control in Annex A to be documented. Our toolkits focus on small and mid-size companies, and that's the reason why we do not write documents to cover each control – for those companies this large number of documents would result in an overkill for many of them. Instead of that a single template may cover multiple controls.

    In the root folder of the toolkit you'll find a document called “List of Documents” that explains which control is covered by which document.
Page 657-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +