Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11288 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Re-write the quality manual
If you want to keep a quality manual and if your present one is organized according to ISO 9001:2008, I think it is advisable to re-write the manual. But instead of re-writing the manual aligned with ISO 9001:2015 I would prefer to use an approach based on your own organization (a document that explains: We are XYZ company; we are producing this and providing these services; we apply a quality management system to these processes; we don’t apply these clauses of the standard for these reasons; these are our processes and their interactions; and, this is the internal and external context in which we operate.)
The following material will provide you information about approach based on your o wn organization to writing a quality manual:
• ISO 9001 – The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
• Writing a short Quality Manual - https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/
• [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ -
Difference between guideline and measure
Answer: I'm assuming that by "measure"you are referring to "security measure". Considering that, a "measure" is a control to treat the risk, while a "guideline" is an orientation about how to implement that control. For example, backup is a measure to treat the risk "loss of data due to hardware failure", while a guideline is the orientation that backup media should be regularly tested to ensure it is ready to use if required.
ISO 27001 provides security measures in the form of security controls listed in the Annex A, while implementation guidelines are provided in the ISO 27002 standard.
These articles will provide you further explanation about security measures and guidelines:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
- ISO 27001 vs. ISO 27002 https://advisera.com /27001academy/knowledgebase/iso-27001-vs-iso-27002/
These materials will also help you regarding security measures and guidelines:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Efficiency and effectiveness of the processes
Answer:
In case of process effectiveness and efficiency, the requirements of IATF 16949 are too vague to discard this requirement of the Lead Auditor, although the standard itself doesn't say that every single process needs to be measured for efficiency and effectiveness. Unfortunately, I think you will have to measure effectiveness and efficiency of all processes, but during the management review, you can decide to stop it for some or most of the processes (topically supporting processes).
When defining and documenting processes you need to apply requirements from clause 4.4,1 for every process. To distinguish between process and procedure, the easiest way is the process is set of activities that result in certain outcome and the procedure is description on how the process is carried out. For more information, see: ISO 9001:2015 process vs. procedure – Some practical examples https://advisera.com/9001academy/blog/2016/01/19/iso-90012015-process-vs-procedure-some-practical-examples/ -
Exclusions
Answer:
Any exclusion must be explained and providing only services is not an acceptable justification for excluding clause 7.3 in ISO 9001:2008. If your company has a set of services that provides to customers and there is no intention of developing new services then clause 7.3 in ISO 9001:2008 or clause 8.3 in ISO 9001:2015 can be excluded. The management system scope decision can be very important to influence exclusion justification. A company can develop new services but exclude them from the scope by being very precise about what includes within the scope.
The following material will provide you information about exclusion:
ISO 9001 – What is an acceptable exclusion in Clause 7 of ISO 9001? - https://advisera.com/9001academy/blog/2015/03/24/what-is-an-acceptable-exclusion-in-clause-7-of-iso-9001/
What clauses can be excluded in ISO 9001:2015? - https://advisera.c om/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
[free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
A final note, although this link is not about ISO 9001 https://advisera.com/9100academy/blog/2017/10/09/can-companies-still-exclude-design-and-development-from-their-as9100-rev-d-qms/ I would like to include it because it is much more clear than the other two -
ISO 2700 implementation
Answer: ISO 2700 cannot be implemented to products. It is a management system standard aimed to protect information related to organization's processes, business units or locations. Regarding the organization, ISO 27001 can be implemented to specific processes, business units or locations or you can define the entire organization as the ISO 27001 scope.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
2 - To start with risk assessment ISO 27001, is it mandatory to have process list identified first followed by identification of assets and then final risk assessment.
Answer: ISO 27001 does not prescribe any specific methodology for risk assessment, so orga nizations are free to choose the approach that suits them best.. That said, it is not mandatory by the standard to have a process list identified first.
These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
These materials will also help you regarding your questions:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Budgeting ISO 27001 implementation
Answer: For planning costs, I suggest you to take a look at this free white paper:
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
In this white paper you will find information such:
- The types of costs faced within an ISO 27001 implementation project
- How different implementation options could affect your budget planning
- Tips to improve budget planning
- How to verify your budget outline
I also would like to remember you that included in the toolkits you bought you also have access to expert support to help you with the templates, answer questions and evaluate documents, so you can include this approach among other consultancy alternatives you may be considering.
Unfortu nately we have no such materials for SOC 2, but many concepts and examples in the white paper can be extrapolated to SOC 2. -
Customer visit and customer satisfaction
Answer:
In reality it doesn’t matter, it is just a box, consider that it belongs to customer satisfaction, or customer communication, or even a tool to win customers, or interested parties’ relationship development. What matters is that your organization believes that customer visits is something worth investing to do it professionally
The following material will provide you information about customer satisfaction:
- ISO 9001 – Main elements of handling customer satisfaction in ISO 9001 - https://advisera.com/9001academy/blog/2014/07/01/main-elements-handling-customer-satisfaction-iso-9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Maintaining organizational knowledge
Answer:
The way of maintaining the knowledge depends on the way how the knowledge is stored. The purpose of this clause is to ensure the knowledge is up to date. So, in order to maintain the knowledge, you need to identify it first, and it can be in form of work instructions, procedures, etc, and then you need to define how you should keep it up to date and available to the relevant people.
For more information, see: How to manage knowledge of the organization according to ISO 9001 https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
These materials will also help you regarding organizational knowledge:
- Book DISCOVER ISO 9001:2015 THROUGH PRACTICAL EXAMPLES https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:201 5 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Person responsible for data protection
Answer: If you have the Data Protection Officer, then this is the person responsible for data protection in your company.
If you do not have such function, you can assign a role of person responsible for data protection to someone like Head of IT department, Head of legal department, or similar - GDPR itself does not provide any guidelines on this, but it would be good to have someone with enough authority in the company to make important changes.
See also this article: The role of the DPO in light of the General Data Protection Regulation https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/ -
Product safety in plastic part manufacturing
Answer:
The requirements for product safety cannot be excluded even if there are no safety issues related to the product. If you are not designing the product and get the drawing from the third party (e.g. customer), they should provide you with information on the product safety. If they don't, you should conduct risk assessment to determine if there are any risks related to the product safety and take appropriate actions. Even if there are no product safety issues, you will still need to have the product safety process.
For more information, see: Ensuring product safety according to IATF 16949 https://advisera.com/16949academy/blog/2017/09/20/ensuring-product-safety-according-to-iatf-16949/