Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Documenting context of the organization and interested parties
Answer: ISO 27001 does not require documenting context of the organization, and this is especially not recommended for smaller organizations - you only need to take into context of the organization when defining the scope and doing the risk assessment. You can read more here: Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
You should document interested parties in List of legal, regulatory and contractual requirements, in folder 02 of the ISO 27001 Toolkit.
I would recommend that you keep this information separate from the Information Security Policy because otherwise you might need to update the Policy too often.
See also: What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/ -
Quality Manual and IMS Manual
Answer:
By IMS Manual I understand “Integrated Management System Manual”. Since ISO 9001 and ISO 14001 no longer consider a Manual as a mandatory document, what you have must be OK.
The following material will provide you information about quality manual in ISO 9001:2015:
- ISO 9001 – The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Determining causes in internal audits
Answer:
And I am with you in that struggle!!! The auditor should not identify root causes or determine the corrective action. By doing that the auditor loses its independence and objectivity. Now the auditor is responsible for the corrective action. Imagine that the correc tive action is implemented correctly but the non-conformance still continues to happen, what will be its position?
Finding the root cause and determining the corrective action should be manager’s responsibility. Your internal auditors can approve or disapprove, before starting the implementation, but never substitute managers.
The following material will provide you information about internal audits:
- ISO 9001 – 13 Steps for ISO 9001 Internal Auditing using ISO 19011 - https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
- How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Form identification
Answer:
Can you design a form that has all the possibilities and then, cross all non-applied fields in each product?
Having the same form code for several forms according to the product family seems to me a solution with weak points. We want that people unequivocally identify which form to use in each case.
The following material will provide you information about documented information:
- ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://training.advisera .com/course/iso-90012015-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
PDCA, process approach and risk based thinking in ISO 45001
Since ISO 45001 adopted the same High Level Structure and Annex XL as ISO 9001, ISO 14001 and many other management system standards, the same principle is applied regarding the PDCA. Firs you need to plan your system, whi ch includes determining the context, the policy, addressing risks and opportunities, determining OH&S hazards, setting the objectives and provide resources, basically you need to cover clauses from 4 to 7.
Do phase is defined by the clause 8, where you need to establish and apply operational controls in order to mitigate occupational health and safety hazards.
Check phase is located in clause 9, and it requires organization to conduct internal audits, compliance evaluation and management review in order to determine conformity of the OH&SMS to requirements of the standard, legal requirements and overall effectiveness of the OH&SMS, as well as effectiveness of the operational control and actions to address risks and opportunities.
Finally the act phase is defined in the clause 10, which defines requirements for continual improvement, corrective actions and nonconformists.
For more information, see: The importance of the Plan-Do-Check-Act cycle in OHSAS 18001 https://advisera.com/45001academy/blog/2015/11/25/the-importance-of-the-plan-do-check-act-cycle-in-ohsas-18001/ -
Documenting risks and opportunities
Since ISO 9001:2015 has no mandatory requirements about retaining documented information about risks and opportunities we are free to decide how to do it.
Working with organizations, I recommend using a Risk and Opportunities Register where we centralize all risks and opportunities determined (related with products and services, related with quality objectives and with management system’s processes), their evaluation (for example about probability and severity), the decision about doing something or not, and an overall description of what will be done (when applicable)
The following material will provide you information about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Certification costs
No, certification audits are not free. You can check if in your country your government has any program in place to help with the costs of certification, because that happens in some countries.
The following material will provide you information about certification costs:
- ISO 9001 – How much does the ISO 9001 implementation cost? - https://advisera.com/9001academy/blog/2016/12/20/how-much-does-the-iso-9001-implementation-cost/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Internal audit is different from gap analysis
Yes, you still need to do an internal audit. Internal audits and gap analysis are different things and have different purposes. A gap analysis identifies what is missing when it is supposed that something is missing. An internal audit is performed on a process that is supposed to be already operating according to the audit criteria. There is a before and after the gap analysis, there is no assurance that the changes needed were implemented and effective.
About the template, we have this toolkit: ISO 9001:2015 Internal Audit Toolkit - https://advisera.com/9001academy/iso-9001-2015-internal-audit-toolkit/
The following material will provide you information about gap analysis versus internal audit:
- ISO 9001 – Gap analysis vs. internal audit in ISO 9001 – https://advisera.com/9001academy/blog/2015/02/17/gap-analysis-vs-internal-audit-iso-9001/ /
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Documenting Quality Policy & Quality Objectives
Answer:
Normally, the Quality Policy is included in the Quality Manual. Nevertheless, the Quality Policy should be, also, a stand-alone document if there are employees that have no access to the Quality Manual. Normally, the Quality Objectives are not included in the Quality Manual because they can change every year. There are no requirements against including them in the Quality Manual it is just the practical side of having to change it frequently that stops most of the people of doing it.
The following material will provide you information about the Quality Manual:
- ISO 9001 – The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 900 1:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Auditing versus monitoring
Answer:
Yes, environmental audit and environmental monitoring and evaluation are different things, although both are used to evaluate performance. An environmental audit is a systematic process of obtaining evidences to determine if audit criteria are fulfilled. For example; are procedures being followed, are desired results being attained? Audits are done by auditors, they check documentation, they observe, they ask questions to people doing the jobs. Environmental monitoring is about determining the status of a process or system, comparing actual results with desired results, the specifications, and after evaluation deciding if anything should be done. For example, independently of what is being done an organization can monitor the amount of solid wastes that generates, or the quality of its air emissions.
The following material will provide you information about monitoring and auditing:
- ISO 14001 – How to measure the effec tiveness of your EMS according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/09/05/how-to-measure-the-effectiveness-of-your-ems-according-to-iso140012015/
- How to define EMS key performance indicators (KPIs) according to ISO 14001 - https://advisera.com/14001academy/blog/2016/05/30/how-to-define-ems-key-performance-indicators-kpis-according-to-iso-14001/?icn=free-blog-14001&ici=bottom-how-to-define-ems-key-performance-indicators-kpis-according-to-iso-14001-txt