Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Notice in local language
Answer:
Yes, the notices need to be written in "clear and plain language". This also includes the fact that all the affected data subjects would need to understand the content within. -
QMS as a preventive system
Answer:
You are right in one important point. The whole QMS is, or should be, a preventive system. Your procedures and instructions reduce risks, they prevent wrong things from happening. But, please, check the definition of risk. There is an important point: uncertainty. Your procedures and instructions can’t consider everything. You should review activities and procedures/instructions to evaluate if there are new risks to be considered worth of changes in the way of acting.
The following material will provide you in formation about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Shortning the quality manual
When I saw in the content “Job preparation (very detailed check-list of tools and…” I remembered quality manuals made in the late 80’s, because the standard at that time mentioned that the manual should refer to the documentation or include it. As you know, ISO 9001:2015 does not require a quality manual nevertheless most organizations are keeping a document that they call the Quality Manual, or the Management System Manual. I advise you to proceed with your idea or making it as short as possible, perhaps 10 pages. 10 pages where you answer to questions like:
a) Who are we?
b) What do we do?
c) Whom do we serve?
d) What kind of compromises do we assume?
e) How do we work? (where you can map your processes)
Your idea of a separated Operations Manual for example, seems very good.
Please see bellow some material with information about the quality manual:
- ISO 9001 – Writing a short Quality Manual - https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Risk based approach
Answer:
1. For example, in a Test Lab setting or in an Inspection Certification Body I would act in the same way:
a) what are the overall results that you intended to meet with your QMS in those settings?
b) did you map the processes for each of those settings? For each process, what are the overall intended results? For each process, what is its purpose?
c) for each service provided by each setting, what are the performance objectives, the specifications?
Then, for those three kinds of expected results you can ask: what can go wrong? In what ways can those expected results not being met? Each of those ways of failure is a risk. That would be my starting point. I would improve this baseline assessment with iterations done after non-conformities and performance evaluation.
2. ISO 31000 is for doing more than what is requested by ISO 9001:2015. It gives guidance, for example, about possible types of actions concerning risk mitigation, risk avoidance and risk reduction.
Please see bellow some material with information about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Time scale for assessments
< 1 hour
1 hour < 4 hours
4 hours < 24 hours
24 hours < 2 days
1 week
Would the results be affected drastically compared to the initial time scale assessments?
Answer: The values presented in the template for time scale can be changed to fit your organization's needs without problem. They are only examples based on our experience, and changing them won't have effects on your results considering your organizational context.
This material will provide you further explanation about continuity strategy:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
BIA questionnaire content
Answer: The items identified are only examples. You should evaluate your organizational context to identify which to include or not, as well as include other items not mentioned in the list.
This materisl will provide you further explanation about BIA questionnaire:
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Internal audit scope
Answer: Broadly speaking, you should consider the areas responsible for ISO 27001 main requirements (e.g., document control, risk assessment, management review, corrective actions, etc.), and the areas where the applicable controls stated in SoA are implemented. If you plan a single audit, all the controls stated in SoA should be audited. If you are planning multiple audits, then you can audit part of the controls stated in SoA on each internal audit, but you have to ensure that all controls were covered by your planned audits.
This article will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/ books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Risks and context
Answer:
Considering the strategic orientation of your organization, your top management team should determine internal and external issues that could affect the intended results of your QMS.
You can document that list of internal and internal issues.
Then, considering those issues, you should determine risks and opportunities. And you can list them. For example, if you determined as an external issue the possibility of competitors with new technology disrupt your market or determined the opportunity of opening a new geographical market your government negotiated for the opening of economic borders with other countries, those will be clearly good candidates for risks and opportunities determined considering clause 4.1.
You can make explicit connections between issues and risks and opportunities or not. They can only be implicit and your top man agement team can show to auditors the connections.
The following material will provide you information about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
GDPR principle
Answer:
The EU GDPR expressly mentions at article 25 (https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/) the concepts of data protection by design and by default as important data protection principles and imposes specific obligations on controller.
In a nutshell, the data protection by design provision requires controllers to :
- implement appropriate technical and organizational measures (such as pseudonymisation) which are designed to implement data protection principles (such as data minimization) in an effective way; and
- integrate necessary safeguards into their processing activities in order to meet the requirements of the GDPR and protect the rights of data subjects.
Under the data protection by default provision, controllers are required to implement appropriate technical and organizational measures for ensuring, by default, that only personal data which are necessary for each specific purpose of the p rocessing are processed.
Our EU GDPR toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ considered these obligations on controllers and integrated them in the relevant documents. -
Categoración de Incidentes
Respuesta: Comunmente las compañías suelen utilizar 3-4 niveles/capas, por tanto, un ejemplo de 4 capas podrías ser:
Hardware -Equipamiento -Placa base -Tarjeta de red
o
Software -Aplicación -Base de datos -Oracle
Algunas compañías utilizan más de 3-4 capas, pero mi recomendación es hacerlo sencillo, es decir, 3-4 capas.
Este artículo te puede resultar interesante : “All about Incident Classification” https://advisera.com/20000academy/knowledgebase/incident-classification/