Search results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • ISO 27001Toolkit

    The most similar documents to be used are the documents for risk assessment and treatment and for the risk treatment plan. You can develop the process of web application vulnerability assessment as a subprocess of ISO 27001 Risk assessment (in the Methodology document).

    The documents for risk assessment and treatment can be found in the folder 05 Risk Assessment and Risk Treatment.

    The document for risk treatment plan can be found in the folder 07 Implementation Plan.

  • 17025 consulting

    I understand from your question you are asking if you can postpone the surveillance assessment by the accreditation body?

    It depends on when your accreditation cycle ends and the certificate of accreditation expires. You need to refer to the specific policy of your accreditation body and engage with them. There may be some flexibility with the date for a surveillance assessment, however it depends on availability of assessors. If the laboratory is at the end of the accreditation cycle and the full reaccreditation assessment is due, the laboratory would need to close any nonconformances before the expiration date anyway.

    Consider the laboratory’s commitment to clients, obligation as an accredited laboratory (contractual agreement with the accreditation body) and options. If there are major issues then they need to be identified, documented and addressed as a matter of priority. If these are minor issues that do not affect the validity of results, then acknowledge and start addressing them before the assessment. Then deal with the nonconformances raised by the accreditation body. If the validity of results are in question, then taking on work should typically be suspended until the issues are resolved. There are situations where a laboratory is obliged to go into voluntary accreditation suspension and cannot claim to be accredited until reassessed.

  • Driving factors and increased importance of OHS

    The reason that the context of the organization has been included in the ISO 45001 standard is to ensure that an organization thinks about the internal and external issues that can affect their OH&S processes, as well as understanding who the interested parties are for the OHSMS and what their additional needs and expectations are for OH&S management so that these can be included in the scope. These expectations will include business issues and risks that will need to be addressed to better prevent injury and ill health in the workplace. This is because an organization cannot simply meet the requirements of ISO 45001 for a management system, but need to also include legal and other requirements from interested parties within these processes.

    You can read a bit more about the context of the organization requirements in the article:

    • Defining the context of the organization according to ISO 45001 https://advisera.com/45001academy/blog/2016/02/03/defining-the-context-of-the-organization-according-to-iso-45001/

    • Relation of GxP to MDR in Medical Software

      No, we do not. However, our Documentation toolkit for ISO 13485 and MDR is based on Good manufacturing practice. 

    • Using CVSS as Risk Management Methodology for ISO 27001

      The proposed way to handle likelihood and impact in the paper sounds good, and would be acceptable to fulfill the standard’s requirements for risk assessment, although it is a bit complex when compared with other risk assessment approaches, like the asset-threat-vulnerability approach commonly adopted for ISO 27001 ISMS.

    • Methods to collect objective evidence during audit

      Auditors use their checklist to go into reality, within the audit scope, to collect objective audit evidence with interviews and observations.Auditors interview auditees. What auditees say are not facts, what auditees say are pseudofacts. So, what auditees say must be corroborated with documents or records or direct observation.Auditors basically use documents, records, and direct observation to collect objective evidence. The following material will provide you with more information:

    • Implementing ITIL in a Start-up - Major milestones

      Generally, you should focus the ITIL implementation based on the following elements (your milestones):

      1.      Strategy – Define: where do you want to be? Who are your customers? Which market do you serve? How do you intend to achieve those goals?

      2.      Customer journey – define your activities (and related resources) throughout the customer lifecycle

      3.      Products and services – define activities related to your products and/or services. Define related methodologies.

      4.      Operation – once you have your products/services – define needed activities to support and maintain them. This also includes related resources (and their capabilities) as well as respective value streams

      Measurement and metrics – define (and implement) appropriate measurements and metrics in order to ensure efficiency in service delivery

    • Can the Health and Safety policy be combined with the Environmental policy?

      First, yes you can have integrated health, safety, and environmental policy. Second, whether or not that is the best approach for your organization, will depend on the effective integration of the two systems. Third, in theory, I always try to integrate management systems because people in an organization do not work according to each management system, in particular, they simply do their work.  The following material will provide you with information about implementing integrated systems:

Page 74-vs-13485 of 1130 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +