Search results

Home / Search

Category:
Select
Select

11278 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Plan de calidad


    Respuesta:

    La estructura del plan de calidad será diferente en tanto en cuanto han cambiado algunos requisitos de la norma, como por ejemplo que la organización ahora tiene mayor libertad para decidir qué documentación incorporar en su SGC, como son los procedimientos, otros nuevos requisitos a incorporar en el sistema como es la determinación del contexto de la organización, o la identificación de los riesgos y oportunidades. Todo ello será necesario tenerlo en cuenta a la hora también de la planificación de los hitos de cada proceso dentro del proyecto, los recursos necesarios así como las correspondientes responsabilidades.

    Básicamente el Plan de Calidad debe de contar con los siguientes elementos
    - Planificar las diferentes etapas de su proyecto
    - Establecer las funciones y responsabilidades individuales
    - Supervisar y organizar por completo su implementación de ISO 9001

    Puede descargar aquí un plan de pro yecto gratuitamente - Plan de Proyecto para la Implementación de ISO 9001: https://info.advisera.com/9001academy/es/descarga-gratuita/plan-de-proyecto-para-la-implementacion-de-iso-9001-ms-word

    Estos materiales también pueden ayudarle con el Plan de Calidad:
    - Curso de Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
    - Libro - Discover ISO 9001:2015 through practical examples (disponible en inglés): https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Statement of applicability A.17.1.3


    Answer: I assume you are referring to a document Statement of Applicability - this document is written so that it is compliant with both ISO 27001 and ISO 22301. However, if you are using only ISO 27001 Toolkit then documents like "Exercise and test plan", and "Review after incidents" do not exist because they are not required by ISO 27001.

    You can use the following text for implementation method of control A.17.1.3: "The Disaster recovery plan is reviewed by [job title] every 3 months, and is audited during internal audit every 12 months."

  • Problems with inventory of assets

    If you were to document each and every process, this would mean you would have hundreds of documents - so no, it is not mandatory to document every process.

    Developing a process means you have to define exactly what are the inputs, what are the steps in performing certain activities, who is responsible, what is the timing, what are the outputs, etc.

    If you do not want to document that process, this means you have to agree with all people involved exactly how this is done, in detail.

    If you want to document that process, you simply have to write down everything you have defined.

    This article can also help you: 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • Review of the BCP


    Answer: I am sorry, but we don’t have a specific checklist for this, but commonly the points of a BCP are the following:

    - Roles and responsibilities
    - Key contacts
    - Plan activation and deactivation
    - Communication
    - Incident response
    - Physical sites and transportation
    - Order of recovery for activities
    - Recovery plans

    You can check in your BCP if these points are in place.

    For more information about the structure of the BCP, you can see this article “Business continuity plan: How to structure it according to ISO 22301” : https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

  • Acuerdos de confidencialidad

    En el contexto de la ISO 27001 (que es sobre la protección de la información del negocio), el criterio debe ser el riesgo: Si estás compartiendo información con partes externas, y no tienes un Acuerdo de Confidencialidad con estas partes externas, existe un riesgo importante relacionado con la revelación de información. Por tanto, básicamente, en mi opinión, debes establecer Acuerdos de Confidencialidad con todas las partes interesadas que puedan acceder a información es pecífica de tu negoio (esta información específica puede ser internal confidencial, etc).

    Por cierto, este artículo te puede resultar interesante “Which security clauses to use for supplier agreements?” : https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

  • ISO 27001 vs ISO 27002


    Answer: If you want to implement only the ISO 27002, which is a code of best practices about information security, you don’t need the ISO 27001. But remember that you cannot certify ISO 27002, only ISO 27001 is certifiable, because this standard - I mean, ISO 27001- defines an Information Security Management System.

    The core of ISO 27001 is the risk management, and basically you will need to identify and treat risks, and for the treatment, you can use the ISO 27002, because it gives you specific information about how to implement security controls. So, the logic is to implement ISO 27001, using the code of best practices of ISO 27002 to know how to implement security controls for the treatment of risks identified.

    For more information about ISO 27001 and ISO 27002, please see this article “Diferencias y similitudes entre ISO 27001 e ISO 27002” : https://advisera.com/27001academy/es/knowledgebase/diferencias-y-similitudes-entre-iso-27001-e-iso-27002/

    And also this one “The basic logic of ISO 27001: How does information security work?” : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  • Risk management and the Internal audit


    Answer: I am sorry, but the Internal Audit, and the Risk management are things completely different in ISO 27001. The Risk management is performed to identify and treat risks. The Internal Audit is performed (after the risk management) to check the compliance with ISO 27001.

    Anyway, if one year you identify a risk, and you define a treatment for it, you don’t need to include this risk in your assessment of the next year, because in that moment the treatment will be closed, and won’t be a risk for your business.

    And remember that no matter what the results of the risk assessment are, internal audit is mandatory - at least once a year

    For more information about the risk management you can see this free webinar “The basics of risk assessment and treatment according to ISO 27001” : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

    And this course can be also interesting for you “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/

  • Identification of threats


    Answer: Our catalogue of threats/vulnerabilities is enough for most of companies (small and medium size), because the list is generic, and includes a lot kind of threats, useful for any business. Anyway, each business is a different world, and maybe in some cases you need to include specific threats, but probably with our list, you can identify the most important ones.

    You should know that it is not possible to identify all the risks - this is why risk assessment needs to be updated regularly (at least one a year, but if possible more often), and through this updates you will improve the list by adding the risks you identified through time.

    You can also use the catalogue of ISO 27005, which is an international standard that gives you a code of best practices for the information security r isk management, including a catalogue of threats and vulnerabilities, and maybe can help you as complement of our catalogue. You can buy this standard directly from iso.org : https://www.iso.org/standard/75281.html

  • Source vendor dropping ISO 9001 certification


    Answer:

    There is no mandatory requirement in ISO 9001:2015 that source vendors must be certified. Consider the actual supplier performance. If it is positive, you can change your requirements for that kind of supplier to remove the need to be certified. If the supplier performance is negative, consider the possibility of looking for another supplier

    The following material will provide you information about supplier evaluation:

    - ISO 9001 – How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
    - free online training ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • NCR and CAPA definitions


    Answer:
    ISO 9000:2015 defines nonconformity as the non-fulfilment of a requirement. Your NCR should record information about the occurrence of the nonconformity (day, hour, product, type of nonconformity, decision about the action to treat the nonconformity, responsible for the decision and when the decision is correction of the product, verification of effectiveness in the elimination of the nonconformity?

    It is not mandatory to have the same kind of form to record all nonconformities. For example, I worked with a bottling company, there was a line operator that checked if labels in the bottles were correctly fitted and not stained. When there was a nonconformity, he removed the bottle from the line and made a mark in the product ion records. The occurrence was recorded without mentioning the action because the action was standard.

    It is not mandatory that every nonconformity generates a corrective action. Corrective actions require an investment in searching the root cause(s) of the nonconformity and, sometimes, nonconformities are not serious enough to justify the investment.

    After solving a nonconformity, your organization should ask: is this type of nonconformity serious enough or frequent enough to require a corrective action?

    ISO 9000:2015 defines corrective action as the action to eliminate the cause of a nonconformity. Most of the time, causes are not obvious, it is needed to investigate and make trials to determine and verify the root cause(s).

    The following material will provide you information about nonconformities and root causes:

    - ISO 9001 – How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
    - Seven Steps for Corrective and Preventive Actions to support Continual Improvement - https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/
    - Procedure for the Management of Nonconformities and Corrective Actions - https://advisera.com/9001academy/documentation/procedure-control-non-conforming-products/
    - free online training ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 683-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +