Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Mayor nonconformities

    A situation in which the External Auditor found some Major Non-conformity and the auditor has given some time and suggested some changes for that Non-Conformity. Generally, What will be time span for follow up and for certifying it.

    Answer:

    This timeframe will depend on the mayor non-conformity, because in the case of minor nonconformities is two months. Therefore, I will follow your auditor recommendations regarding the time and changes.

    Remember thatclause 10.2 of the 14001:2015 standard specifies how to deal with nonconformity and corrective action, and documenting any changes that may occur in your EMS due to repairing nonconformity falls firmly into that category. So, if you treat the process of repairing a nonconformity as you would with any corrective action, you will have evidence to demonstrate compliance to the auditor if executed correctly.

    These materials can help you to undestand non-conformitie s in ISO 14001:2015:
    - Article - Dealing with nonconformities from the ISO 14001:2015 certification audit: https://advisera.com/14001academy/blog/2015/11/02/dealing-with-nonconformities-from-the-iso-140012015-certification-audit/
    - Book - Discover ISO 9001:2015 through practical examples:
    - Free on-line ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/

  • Trazabilidad

    Contamos con un sistema de registro de solicitudes e incidentes, el cual tiene algunas estadísticas, tales como número de incidentes registrados, número de incidentes atendidos por técnico, evaluación del usuario del servicio recibido, incidentes que han pasado el tiempo establecido para su atención (es una especie de semáforo que nos indica cuáles incidentes están vencido o sea en rojo, cuales por vencer o sea en amarillo y cuales son nuevos, es decir en verde.
    También contamos con SLA's con las diferentes dependencias de la Institución.
    Pienso que esa información la puedo utilizar para medir la trazabilidad.
    Quiero preguntarle si estoy en lo correcto o me equivoco.

    Respuesta:

    La trazabilidad en ISO 9001:2015 es un concepto diferente al que ha expuesto en su consulta, ya que lo que cuenta se relaciona más con la medición de la satisfac ción del cliente. Lo primero que debe hacerse es describir todos los procesos necesarios para llevar a cabo el producto o servicio y una vez hecho esto, la trazabilidad consistiría en identificar el control de cada parte del proceso desde el producto/servicio final hasta los componentes de partida. Tiene que tener también en cuenta de que la trazabilidad no es un requisito para todas las organizaciones, luego tiene que estar segura de que no está excluida de su alcance.

    Para poder probar dicha trazabilidad ante el auditor, de debe contar por ejemplo, en el caso de un producto en concreto, con los certificados de los materiales de partida, los certificados de calibración de los equipos utilizados, los planos de fabricación y el documento conformidad del producto acabado.

    Para más información sobre la identificación y trazabilidad puede ver estos materiales:
    - ISO 9001:2015 Clause 8.5 product realization: practical examples for compliance (sólo disponible en inglés): https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/
    - Libro - Discover ISO 9001:2015 through practical examples (sólo disponible en inglés): https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Curso gratuito en línea - Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • The structure for contracts and regulations

    Can you please send me a filled in example document. I really don’t know what the content should be in this document. I understand the “stakeholders” but don’t understand the demands.

    Answer: The demands are the clauses that define information security requirement. Example for a law is:
    Requirement: "... a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards..."
    Document stipulating the requirement: Art. 46 GDPR (General Data Protection Regulation), paragraph 1.
    Person responsible for compliance: CISO
    Deadlines: 25 May 2018
    Interested parties: Customers

    The structure is the same for contracts and regulations.

    2 - Is it a big list ?

    Answer: The number of legal requirement will depend on your organization's context (e.g., financial industry is highly regulated, so organizations on this sector will have many laws and regulations to comply with ), and the number of different contracts you have with customers and suppliers. I strongly suggest you to look for legal expert advise to identify such requirements.

    3 - What would be the content beside legal obligations Personal Data Protection Act 2000 and Data Breach Notification Requirement Act 2016? Please assist or inform me where I could find the additional information.

    Answer: An example of obligation other than laws and regulations would be contractual clauses related to service levels (impacting availability), or clauses specifically related to protection of confidentiality.

    These articles will provide you further explanation about requirements identification:
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
    - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
    - How to integrate GDPR with ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/

  • Referential documents


    Answer:

    You can exclude the reference to the policy for business continuity if your organization won't implement business continuity with no problems. Also, you will only have to exclude the section 4.4 (Business continuity) of the ISMS policy template, as explained in the comments included in the template.

  • Keeping personal data


    Answer:

    Based on the provisions of the EU GDPR, personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes). So, unless you have a lawful obligation to keep personal data for a longer time, it should be deleted or anonymized.

    You can set up within your organization a general retention period based on the purposes for which you collect and proceed the data.

    Furthermore, you can find a data retention policy in our EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/).

  • Audit checklist


    Answer:

    There is no definitive relationship between controls and ISO 27001 clauses, since this relationship is established based on the results of risk assessment, applicable legal requirements, and organization's strategies and objectives, which are unique for each organization.
    This article will provide you further explanation about ISO 27001: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    Regarding evidences about the compliance with each clause and control, I suggest you to take a look at the free demo of our Internal Audit Checklist a this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/

    For each clause or control from the standard the checklist provides one or more questions which can help verify the implementation.
    Thi s article will provide you further explanation about audit checklist:
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

  • SOPs in AS9100 Rev D


    Answer:
    There is not a requirement in AS9100 Rev D to have any particular required Standard Operating Procedure (SOP), but there is certainly an allowance for these as “documented information to support the operation of its processes” (Clause 4.4.2). The decision is up to the company to determine if any process needs documented information to be maintained for the process to work properly, and this applies to production processes as well as any others in the QMS.
    For more information you can see a list of the mandatory documented information for AS9100 Rev D here: https://advisera.com/9100academy/knowledgebase/list-of-mandatory-documents-in-as9100-rev-d/

  • Continual improvement effectiveness

    How can continual improvement be measured effectively and are there any templates in pdf or word format that I can fill out?
    We are not using DOE, SPC or capability studies since its an assembly set up where we procure parts from our suppliers and simply assemble in house.

    Answer:
    This is an interesting question as clause 10.3 – Continual Improvement has no requirement for documented information. There are many ways to know if your continual improvements are working, and this is often using your key performance indicators (KPIs) which your improvement activities are trying to make better. I think the best way to answer this question is like this:
    1) What improvements have we been doing (remember your quality objectives are improvement objectives)
    2) What were we trying to improve with these (KPIs, etc.)
    3) How do we know that the improvement worked?
    The answer to this is how you know that your c ontinual improvements were effective. This is what you can respond to your auditor when they ask about continual improvement effectiveness.
    For more information on continual improvement see this blog article: https://advisera.com/9100academy/knowledgebase/corrective-actions-vs-continual-improvement-in-as9100/

  • Documenting BCP plans

    I need your expert opinion about the structure of the BCP. xxx is an engineering company with around 250 employees (about 200 engineers, no manufacturing). We have 4 major sites (3 in Australia and 1 is in Florida).
    Australia site 1 – Head office, almost all departments including engineering
    Australia site 2 – Sales, logistics and warehousing
    Australia site 3 – Engineering, project management, testing
    USA site 1 – Engineering, project management, testing
    I was wondering if I have to develop 1 BCP for all sites or 4 BCPs?

    Answer:

    ISO 22301 does not prescribe the number of plans you have to document, so this decision is up to the organization strategies and objectives.

    Considering your scenario, I'd suggest 4 BCPs in a master-slave configuration, i.e., the BCP for Australia site 1 documenting all activities, and the remaining BCPs as copies of the first one, covering only the departments locat ed on each site, with adjustments to reflect the specificities of each site (e.g., specific RTO, RPO, activities, etc.).

    With this configuration, the documents for Australia sites 2 and 3, and USA site 1, will be smaller, focusing only on the departments on each site, and you will have less administrative effort to manage the documentation, after all, all documents will be as equal as possible, based on BCP for Australia site 1.

    These materials will provide you further explanation about documenting BCPs:
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
    - Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/

  • SWOT analysis and internal audit

    Answer:
    No, you don’t need to perform a SWOT analysis in order to perform an audit. SWOT analysis is normally used during strategic thinking and is a way of organizing information about internal and external issues.
    The following materials will provide you more information about SWOT analysis and audit planning:
    - Article - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Article - ISO 9001 – How to prepare for an internal audit - https://advisera.com/9001academy/blog/2017/09/26/iso-9001-how-to-prepare-for-an-internal-audit/
    - [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
Page 670-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +