Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Interested parties - a management decision, not a technical decision
Answer:
Look into clause 4.2 of ISO 9001:2015 and note the vocabulary “the organization shall determine”, not “the organization shall identify”. That means that determining the interested parties is not a technical problem, it is a management problem. It will depend on your organization’s strategic orientation and business model. What interested parties are relevant for your organization strategic orientation and business model? Consider your organization’s strategic orientation and its competitive advantages. What interested parties must be present? What is expected from each one? What each one expects from your organization?
The following material will provide you information about int erested parties:
- How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- Understanding needs & expectations of interested parties in ISO 9001:2015 - https://advisera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Can organization exclude requirement 8.3 from certification?
Answer:
The only requirement of the standard that can be excluded from certification is 8.3 Design and development of products and services (the development of the production processes must always be taken into account).
This exception needs to be well explained in documented information with proof that the organization has no process that is related to design and development.
Prior to certification, the organization must demonstrate that it can meet all requirements of IATF 16949 (readiness assessment with at least 1 day on location); this includes a full audit cycle including a QM assessment.
I suggest you find out more about the topic please see article: How to write the IATF 16949 Quality Manual https://advisera.com/16949academy/blog/2017/05/31/how-to-write-the-iatf-16949-quality-manual/ -
Holistic approach
Answer:
The whole set of ISO 27001 mandatory documents ensure that an organization plans (e.g., define information security policy), performs actions (e.g., performing of risk assessment and risk treatment plan, and operation of security controls), controls results (e.g., through performance measurements, internal audits, and management reviews), and improves information security (e..g., by means of treating non conformities and opportunities of improvement).
If you consider only part of the documentation, some steps of the information security management can be forgotten and the security will fail in to achieve the expected results.
These articles will provide you further explanation about ISO 27001 approach:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Has the PDCA Cycle been removed f rom the new ISO standards? https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/ -
Developing policies and procedures
Answer:
The main advice is to keep these documentation as simple as possible, including only what is demanded by legal requirements, like contracts, laws and regulations, or what will certainly increase efficiency and effectiveness. An additional tip is to write considering your target audience, avoiding unnecessary jargon.
These articles will provide you further explanation about developing policies and procedures:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
Regarding ISO 27001, I suggest you these material so you can have a better understanding of this standard and its benefits:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 Foundations course https://advisera.com/training/iso-27001-foundations-course/
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Evaluación del liderazgo
En Advisera no contamos actualmente con un método de la evaluación del liderazgo, ya que este forma parte de varios requisitos de la norma. No obstante esta valoración se hace durante la auditoría interna; aquí puede acceder a una vista previa de la Lista de Verificación para Auditoria Interna: https://advisera.com/9001academy/es/documentation/lista-de-verificacion-para-auditoria-interna/
Estos serían los elementos que demuestran el liderazgo dentro del SGC:
- Se mide la eficacia del SGC, y la dirección participa en esta evaluación.
- La Política de Calidad y los objetivos son establecidos por la dirección, comunicados en la organización y supervisados para conocer su progreso.
- El SGC es parte de los procesos de negocio, no un proyecto paralelo.
- Las necesidades de recursos son revisadas y abordadas por la dirección.
- La mejora continua es promovida y soportada por la dirección.
- Existe una manera para demostrar al cliente que los requisitos legales son entendidos y se cumplen, y el personal entiende lo importante que es esto.
- Existe un enfoque de dirección en la satisfacción del cliente.
- Se asignan los roles de la organización, las responsabilidades, y las autoridades, la cuales tienen que ser entendidas por los trabajadores de la organización.
Para más información sobre demostrar el liderazgo dentro de la organización puede ver estos materiales:
- Artículo - Cómo cumplir con los nuevos requerimientos de liderazgo en la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-cumplir-con-los-nuevos-requerimientos-de-liderazgo-en-la-iso-90012015/
- Curso gratuito en línea de Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Estructura de la documentación en el SGC y diseño de procedimientos
Respuesta:
Lo primero es señalar que en esta nueva norma no es obligatorio presentar ningún procedimiento. En caso de hacerlo, al igual que cualquier otro tipo de documentación debe de cumplir con los requisitos de la cláusula 7.5 de norma ISO 9001:2015 en cuanto a la creación y actualización y al control de información documentada del SGC. En cuanto al diseño es la propia organización la que puede decidir sobre el mismo siempre y cuando cumpla con los requisitos mencionados.
Respecto a la creación y actualización de la información documentada, la organización debe:
- Identificar y describir de forma adecuada la información documentada (título, fecha, etc.)
- Establecer un formato(idioma, gráficos , etc. )
- Determinar los medios en los que se encuent ra contenida (papel, formato electrónico, etc.)
- Revisar y aprobar la información documentada asegurando su idoneidad y adecuación
Por otro lado la organización debe abordar las siguientes actividades para controlar la información documentada:
- Acceso, distribución, recuperación y uso
- Almacenamiento y distribución
- Control de cambios
- Retención y disposición
Aquí puede descargar una vista previa de nuestro Procedimiento para el control de documentos y registros: https://advisera.com/9001academy/es/documentation/procedimiento-para-control-de-documentos-y-registros/
Respecto a la estructura de la información documentada ell estándar internacional ISO 10013:2001 Guía para la documentación de Sistemas de Gestión de Calidad da directrices para un dimensionamiento efectivo de la documentación de un SGC, así como un resumen de contenidos recomendados y la estructura de diferentes tipos de documentos del Sistema de Gestión de Calidad. En este artículo puede encontrar más información sobre la estructura de la documentación - Cómo estructurar la documentación del sistema de gestión de calidad https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-estructurar-la-documentacion-del-sistema-de-gestion-de-calidad/
En cuanto a los procedimientos de calidad pueden incluir los siguientes elementos:
- Título
- Finalidad
- Alcance
- Responsabilidades y funciones d
- Definición y listado de los registros que resultan de las actividades descritas en el procedimiento
- Control de documentos
- Descripción de actividades
Se pueden incluir anexos, en caso de ser necesario.
Estos materiales pueden ayudarle a entender el control de la información documentada en la norma ISO 9001:2015:
- New approach to document and record control in ISO 9001:2015 (disponible en inglés): https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Curso de Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Subclause 8.2.3.2
According to the clause 8.2.3.2 - you don´t need to develop a procedure but retain documented information (that is, records), as applicable: - on the results of the review; - on any new requirements for the products and services. You can check the mandatory documents here - List of mandatory documents required by ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ Of course you can create a procedure that will hep you to act systematically regarding this requirement, but it is not a mandatory requirement for the organization. Also, it doesn´t need to focus just on customer needs but the review before commiting to supply pr oducts and services should include: - requirements specified by the customer, including requirements for delivery ad post-delivery activities; - requirements not stated by the customer, but necessary for te specified or intended use, when known; - requirements specified by the organization; - statutory and regulatory requirements applicable to the products and services; - other contract or order requirements differing from those previously expressed. These materials can also help you to understand Clause 8 - Operation: - White paper - Clause by clause explanation of ISO 9001:2015: https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015 - Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Access to psychometric tests
Answer:
The results of the psychometric tests are indeed personal data and those should be shared with the data subjects if they request that. The test questions, unless these questions are indeed aimed at collecting personal information (What is your name, your date of birth, age etc.) can be disclosed to the data subjects, however if the test as a whole is protected under the national laws than the national laws would take precedence over the EU GDPR.
To find out more about the EU GDPR check out our EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//). -
How to get ISO certification
Answer:
ISO does not certifies organizations. ISO publishes internationally recognized standards. Certification is provided by certification bodies after audits that verify if an organization has implemented a management system according to the requirements of an ISO management system standard. So, the basis for certification is passing a certification audit.
The following material will provide you information about certification:
- ISO 9001 – How to prepare your company for the ISO 9001 certification audit - https://advisera.com/9001academy/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/
- free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Document lay-out
In general, related documents (doesn’t matter in which way they exist (paper document, electronically, inside the information system etc.) from section 4 do they have to be compliant with the things we defined in the [policy for information classification]?
Answer:
The change log form, as well as any other document or record that is part of the ISMS, must be labelled accordingly the Information Classification Policy, as well as to follow the guidelines defined in the Procedure for Document and Record Control (sections 3.1 and 3.5), so the organization does not incur in a non conformity.
Of course, in the Information Classification Policy you may choose to exclude certain type of documents or records from being labelled, in order to make operations with those documents and records more easily. However, in such case you should assess if this would create some unacceptable risks.
These articles will provide you further explanation about document control and labeling:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/