Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
NCR and CAPA definitions
Answer:
ISO 9000:2015 defines nonconformity as the non-fulfilment of a requirement. Your NCR should record information about the occurrence of the nonconformity (day, hour, product, type of nonconformity, decision about the action to treat the nonconformity, responsible for the decision and when the decision is correction of the product, verification of effectiveness in the elimination of the nonconformity?
It is not mandatory to have the same kind of form to record all nonconformities. For example, I worked with a bottling company, there was a line operator that checked if labels in the bottles were correctly fitted and not stained. When there was a nonconformity, he removed the bottle from the line and made a mark in the product ion records. The occurrence was recorded without mentioning the action because the action was standard.
It is not mandatory that every nonconformity generates a corrective action. Corrective actions require an investment in searching the root cause(s) of the nonconformity and, sometimes, nonconformities are not serious enough to justify the investment.
After solving a nonconformity, your organization should ask: is this type of nonconformity serious enough or frequent enough to require a corrective action?
ISO 9000:2015 defines corrective action as the action to eliminate the cause of a nonconformity. Most of the time, causes are not obvious, it is needed to investigate and make trials to determine and verify the root cause(s).
The following material will provide you information about nonconformities and root causes:
- ISO 9001 – How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
- Seven Steps for Corrective and Preventive Actions to support Continual Improvement - https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/
- Procedure for the Management of Nonconformities and Corrective Actions - https://advisera.com/9001academy/documentation/procedure-control-non-conforming-products/
- free online training ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Risk management in ISO 27001 Lead Auditor Course
Answer:
Advisera's ISO 27001 Lead Auditor Course provides you the basics of risk management - how to identify assets, threats, vulnerabilities, calculate the level of risk, choose controls to mitigate risks, create reports, etc. It does not cover specific threats like manpower life threats although he does provide a couple of real-life examples using difference threats and vulnerabilities.
By the way, you can watch all the video lectures completely for free, so you can check out for yourself the level of details: https://advisera.com/training/iso-27001-lead-auditor-course/ -
Preventive actions
Answer 1: Although in the previous version of ISO 27001:2005 the preventive actions were included explicitly, in the current ISO 27001:2013 it is not referenced, so we don’t have a template for this anymore, because basically it is not necessary
2.- Also I've got one question about the Risk Assessment: Is it necessary to add the serial number for each computer/laptop inside the company or can I just name the asset and the owner?
Answer 2: From my point of view, the serial number of each computer/laptop is not relevant for the risk assessment, so you don’t need to include this information in the risk assessment, but for your asset management can be very interesting to have a control of the serial number of each equipment, because each equipment (with his serial number, that is unique), will be assigned to a specific person. So, you can include this specific information in your asset inventory.
This article can help you with the asset inventory “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
3.- And the last question: Is it possible to get access to more tutorial videos? It's been really helpful.
Answer 3: As customer, you can access to all our video tutorials, but if you need more, you can see our free webinars : https://advisera.com/27001academy/webinars/
Furthermore, you have access to all documentation tutorials, and here you can also have a online course "ISO 27001:2013 Foundations Course" https://advisera.com/training/iso-27001-foundations-course/ -
Finding the root cause
I really thanks for your reply and got answer for root cause analysis -
Data processing agreement
Answer:
Based on your description both you and the company that would hire the seafarers are acting as independent controllers. Except for the instance where the hiring company would provide you with the data of somebody for you to contact and interview on your behalf.
In the independent controller scenario, although is not strictly mandated by the GDPR, you could have a Controller to Controller GDPR Addendum (we are working in developing such a template) and for the scenario where you would be a processor, the hiring company would most likely ask you to sign a Supplier Data Processing Agreement similar to the one in our EU GDPR Documentation Toolkit ( https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ ) -
Segregation duties
Answer: I am sorry, we don’t have a template for the segregation of duties, because this is not a mandatory document according to ISO 27001. Anyway, to implement this control, basically you need:
1. Identification of functions that are indispensable to the organization’s activities
2.- Division of the function into separate steps
3.- Definition of one or more segregation principles to be applied to the functions
For more information, please see this article “Segregation of duties in your ISMS according to ISO 27001 A.6.1.2” : https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/ -
Internal auditors and implementation help
1) Is it possible for someone who doesn't have a certificate to be an auditor? Is experience enough?
2) Can a company without ISO certificate conduct an ISO process or help another company / business to be ISO certified? Isn't a legal issue?”
Answer:
It is up to the client of the audit to specify the requirements of competency to be an auditor. Different clients will have different requirements. Interestingly, the last version of ISO 19011 removed competency requirements from the auditor definition.
There is no legal issue involved. A company without ISO certificate can help a company / business to be certified. Naturally, a certified company con argue commercially that it has first-hand experience of the process.
The following material will provide you information about internal audits:
- ISO 9001 – 13 Steps for ISO 9001 Internal Auditing using ISO 19011 - https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
- free online training ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- free online training ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Internal audit scope
Answer:
There is no universal answer. In the past, I advised some companies to do precisely that, to have a particular internal audit with EMS documentation as the scope of the audit. Can be useful, particularly during the implementation phase or afyer several problems with documentation control.
The following material will provide you information about internal audits:
- ISO 14001 - Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
- free online training – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
What part takes the most time
Answer: From my point of view, the part that takes most time is the risk assessment & treatment, because it is also the most complex and most important part. Remember that the main objective of ISO 27001 is the protection of information, identifying risks and treating them.
By the way, this checklist can help you to know what are the steps that you need to implement the ISO 27001 “ISO 27001 implementation checklist” https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
This course about ISO 27001 can be also interesting for you "ISO 27001:2013 Foundations Course" https://advisera.com/training/iso-27001-foundations-course/ -
Cryptographic controls
thank you for your response, I agree with your comments; however, I am of the opinion that before deciding on the encryption key length whether 128, 512 or etc an assessment should be performed