Search results

Home / Search

Category:
Select
Select

11278 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Trazabilidad

    Contamos con un sistema de registro de solicitudes e incidentes, el cual tiene algunas estadísticas, tales como número de incidentes registrados, número de incidentes atendidos por técnico, evaluación del usuario del servicio recibido, incidentes que han pasado el tiempo establecido para su atención (es una especie de semáforo que nos indica cuáles incidentes están vencido o sea en rojo, cuales por vencer o sea en amarillo y cuales son nuevos, es decir en verde.
    También contamos con SLA's con las diferentes dependencias de la Institución.
    Pienso que esa información la puedo utilizar para medir la trazabilidad.
    Quiero preguntarle si estoy en lo correcto o me equivoco.

    Respuesta:

    La trazabilidad en ISO 9001:2015 es un concepto diferente al que ha expuesto en su consulta, ya que lo que cuenta se relaciona más con la medición de la satisfac ción del cliente. Lo primero que debe hacerse es describir todos los procesos necesarios para llevar a cabo el producto o servicio y una vez hecho esto, la trazabilidad consistiría en identificar el control de cada parte del proceso desde el producto/servicio final hasta los componentes de partida. Tiene que tener también en cuenta de que la trazabilidad no es un requisito para todas las organizaciones, luego tiene que estar segura de que no está excluida de su alcance.

    Para poder probar dicha trazabilidad ante el auditor, de debe contar por ejemplo, en el caso de un producto en concreto, con los certificados de los materiales de partida, los certificados de calibración de los equipos utilizados, los planos de fabricación y el documento conformidad del producto acabado.

    Para más información sobre la identificación y trazabilidad puede ver estos materiales:
    - ISO 9001:2015 Clause 8.5 product realization: practical examples for compliance (sólo disponible en inglés): https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/
    - Libro - Discover ISO 9001:2015 through practical examples (sólo disponible en inglés): https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Curso gratuito en línea - Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • The structure for contracts and regulations

    Can you please send me a filled in example document. I really don’t know what the content should be in this document. I understand the “stakeholders” but don’t understand the demands.

    Answer: The demands are the clauses that define information security requirement. Example for a law is:
    Requirement: "... a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards..."
    Document stipulating the requirement: Art. 46 GDPR (General Data Protection Regulation), paragraph 1.
    Person responsible for compliance: CISO
    Deadlines: 25 May 2018
    Interested parties: Customers

    The structure is the same for contracts and regulations.

    2 - Is it a big list ?

    Answer: The number of legal requirement will depend on your organization's context (e.g., financial industry is highly regulated, so organizations on this sector will have many laws and regulations to comply with ), and the number of different contracts you have with customers and suppliers. I strongly suggest you to look for legal expert advise to identify such requirements.

    3 - What would be the content beside legal obligations Personal Data Protection Act 2000 and Data Breach Notification Requirement Act 2016? Please assist or inform me where I could find the additional information.

    Answer: An example of obligation other than laws and regulations would be contractual clauses related to service levels (impacting availability), or clauses specifically related to protection of confidentiality.

    These articles will provide you further explanation about requirements identification:
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
    - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
    - How to integrate GDPR with ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/

  • Referential documents


    Answer:

    You can exclude the reference to the policy for business continuity if your organization won't implement business continuity with no problems. Also, you will only have to exclude the section 4.4 (Business continuity) of the ISMS policy template, as explained in the comments included in the template.

  • Keeping personal data


    Answer:

    Based on the provisions of the EU GDPR, personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes). So, unless you have a lawful obligation to keep personal data for a longer time, it should be deleted or anonymized.

    You can set up within your organization a general retention period based on the purposes for which you collect and proceed the data.

    Furthermore, you can find a data retention policy in our EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/).

  • Audit checklist


    Answer:

    There is no definitive relationship between controls and ISO 27001 clauses, since this relationship is established based on the results of risk assessment, applicable legal requirements, and organization's strategies and objectives, which are unique for each organization.
    This article will provide you further explanation about ISO 27001: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    Regarding evidences about the compliance with each clause and control, I suggest you to take a look at the free demo of our Internal Audit Checklist a this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/

    For each clause or control from the standard the checklist provides one or more questions which can help verify the implementation.
    Thi s article will provide you further explanation about audit checklist:
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

  • SOPs in AS9100 Rev D


    Answer:
    There is not a requirement in AS9100 Rev D to have any particular required Standard Operating Procedure (SOP), but there is certainly an allowance for these as “documented information to support the operation of its processes” (Clause 4.4.2). The decision is up to the company to determine if any process needs documented information to be maintained for the process to work properly, and this applies to production processes as well as any others in the QMS.
    For more information you can see a list of the mandatory documented information for AS9100 Rev D here: https://advisera.com/9100academy/knowledgebase/list-of-mandatory-documents-in-as9100-rev-d/

  • Continual improvement effectiveness

    How can continual improvement be measured effectively and are there any templates in pdf or word format that I can fill out?
    We are not using DOE, SPC or capability studies since its an assembly set up where we procure parts from our suppliers and simply assemble in house.

    Answer:
    This is an interesting question as clause 10.3 – Continual Improvement has no requirement for documented information. There are many ways to know if your continual improvements are working, and this is often using your key performance indicators (KPIs) which your improvement activities are trying to make better. I think the best way to answer this question is like this:
    1) What improvements have we been doing (remember your quality objectives are improvement objectives)
    2) What were we trying to improve with these (KPIs, etc.)
    3) How do we know that the improvement worked?
    The answer to this is how you know that your c ontinual improvements were effective. This is what you can respond to your auditor when they ask about continual improvement effectiveness.
    For more information on continual improvement see this blog article: https://advisera.com/9100academy/knowledgebase/corrective-actions-vs-continual-improvement-in-as9100/

  • Documenting BCP plans

    I need your expert opinion about the structure of the BCP. xxx is an engineering company with around 250 employees (about 200 engineers, no manufacturing). We have 4 major sites (3 in Australia and 1 is in Florida).
    Australia site 1 – Head office, almost all departments including engineering
    Australia site 2 – Sales, logistics and warehousing
    Australia site 3 – Engineering, project management, testing
    USA site 1 – Engineering, project management, testing
    I was wondering if I have to develop 1 BCP for all sites or 4 BCPs?

    Answer:

    ISO 22301 does not prescribe the number of plans you have to document, so this decision is up to the organization strategies and objectives.

    Considering your scenario, I'd suggest 4 BCPs in a master-slave configuration, i.e., the BCP for Australia site 1 documenting all activities, and the remaining BCPs as copies of the first one, covering only the departments locat ed on each site, with adjustments to reflect the specificities of each site (e.g., specific RTO, RPO, activities, etc.).

    With this configuration, the documents for Australia sites 2 and 3, and USA site 1, will be smaller, focusing only on the departments on each site, and you will have less administrative effort to manage the documentation, after all, all documents will be as equal as possible, based on BCP for Australia site 1.

    These materials will provide you further explanation about documenting BCPs:
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
    - Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/

  • SWOT analysis and internal audit

    Answer:
    No, you don’t need to perform a SWOT analysis in order to perform an audit. SWOT analysis is normally used during strategic thinking and is a way of organizing information about internal and external issues.
    The following materials will provide you more information about SWOT analysis and audit planning:
    - Article - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Article - ISO 9001 – How to prepare for an internal audit - https://advisera.com/9001academy/blog/2017/09/26/iso-9001-how-to-prepare-for-an-internal-audit/
    - [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • Audit plan versus audit program

    Answer:
    An audit program is a set of one or more audits planned to occur within a specific time frame and with common purpose, prepared by the Quality Manager or Audit Manager. For example, consider an organization that intends to perform three internal audits in 2019 to evaluate the conformity of its quality management system. The audit program plans: what will be the scope of each audit (what clauses and/or processes); when will each audit take place (the first can be in February, the second in May and the third in October); sometimes organizations even identify who will be the internal auditors for each audit. One important thing is that an audit program approved by top management is a way of transmitting authority to the internal auditors to perform the audit.

    An audit plan is prepared by the auditor(s) before each audit and aims to inform auditees about the audit objectives, audit scope, audit criteria, auditors, date and schedule of activities. For example, i f an audit includes auditing the Commercial Department, and audit plan informs, proposes, that the audit to that department occur between 10h00 and 11h00. An audit plan allows auditors to agree with auditees on a schedule.

    The following materials will provide you more information about internal audits:
    - Article - What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
    - Creating an ISO 14001 internal audit plan - https://advisera.com/14001academy/blog/2017/01/16/creating-an-iso-14001-internal-audit-plan/
    - Free course - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
Page 671-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +