Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Non conformity identification
Answer: To support your assumption that there is no correct segregation of tasks or of environments, you have to identify a policy or procedure which defines the rules for access control, and then evaluate if the situation is complaint or not with the established rules.
If the situation is not compliant with the established rules you can declare a non conformity.
If there is no policy or procedure available, you should look for the risk assessment results and applicable legal requirements (e.g., laws and contractual clauses), and then evaluate if the situation is complaint or not with them. If the situation is not compliant with the risk assessment results or legal requirements you can decl are a non conformity.
This article will provide you further explanation about corrective actions:
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
These materials will also help you regarding corrective actions:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Correction, corrective and preventive action
Answer:
In a management system one can consider three kinds of action:
• Correction action;
• Corrective action and;
• Preventive action.
Correction action is about dealing with a non-conformity. The purpose is to eliminate the non-conformity. For example, rework a defective part.
Corrective action is about eliminating the cause of a particular non-conformity. For example, why is the part defective? Because our temperature control system during production is not working properly. A corrective action can improve the temperature control system and eliminate that kind of defect.
Preventive action is about eliminating the cause of a potential non-conformity. For example, what kind of actions should the company develop to reduce the monthly frequency of defective parts.
The following material will provide you information about correction, corrective and preventive actions:
• - ISO 9001 – Difference between correction and co rrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
• - Seven Steps for Corrective and Preventive Actions to support Continual Improvement - https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/
• - How to proceed once a QMS corrective action is defined? - https://advisera.com/9001academy/blog/2016/09/20/how-to-proceed-once-qms-corrective-action-is-defined/
• - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Clause 7.1.3 Infrastructure
Thank you very much for that great explanation. its help me a lot. -
Monitoring and measuring as inputs to the management review
Answer:
Your organization has determined what to monitor and measure (clause 9.1.1) and has analyzed and evaluated what resulted from monitoring and measurement (clause 9.1.3). Management should review and decide if it is needed to change anything about what to monitor and measure. What to monitor and measure is adequate or should be changed? Also, considering the results of monitoring and measurements, management should review trends and decide if it is needed to improve performance.
The following material will provide you information about monitoring and measure:
- Monitoring and Measurement: The basis for evidence-based decisions - https://advisera.com/9001academy/blog/2020/09/21/how-to-perform-monitoring-and-measurement-according-to-iso-9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Educational path
Answer:
Since you have IT service delivery experience I would suggest to consider two streams for further capability development:
1. ISO - ISO 20000 is ISO standard in IT Service management. With ITIL Foundation certificate there is small delta you need to gain ISO 20000 Foundation certificate. Afterwards - e.g. Internal Auditor course and certificate
2. ITIL - there are various trainings (and certifications) in ITIL that will give you detailed knowledge in e.g. delivery of IT Services. So, check the content and decide your educational path.
The articles
" ITIL Certification Path – list of all available ITIL trainings, exams and certificates" https://advisera.com/20000academy/knowledgebase/itil-certification-path-list-of-all-available-itil-trainings/
"How personal certificates can help your company’s IT Service Management" https://adviser a.com/20000academy/blog/2017/04/18/how-personal-certificates-can-help-your-companys-it-service-management/
"New ITIL Practitioner Guidance book – what does this mean for your certification and implementation?" https://advisera.com/20000academy/blog/2016/08/30/new-itil-practitioner-guidance-book-what-does-this-mean-for-your-certification-and-implementation/ -
Non conformity classification
Answer: ISO 27001:2013 clause 6.1.3 requires the retention of documented information about the information security risk treatment process, and if your organization does not have written risk owner's approval of the information security risk treatment plan and acceptance of the residual information security risks this would be a major non-conformity, because this is a failure in complying with a standard's requirement.
Regarding an OFI (Opportunity For Improvement), this is not a nonconformity, but an issue raised by the auditor that requires an evaluation by the organization, because in the auditor's opinion this could lead to a non conformity in the future. In this case, after the evaluation an organizatio n can decide to do nothing or implement an action plan to handle the situation. An OFI can lead to a non conformity if:
- no evaluation is performed by the organization until the next audit
- the organization decided to implement an action plan but has not resolved it within the deadline
This article will provide you further explanation about nonconformities:
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
These materials will also help you regarding non conformities:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Auditing single departments
Answer: Yes, you can limit your audit just to one department. Regarding the fact that this department uses the same network, servers and physical location, you should look for if these elements comply with the requirements defined for the department you are auditing (if different departments have different levels of security requirements, the organization should consider segregate them in groups with similar requirements).
These articles will provide you further explanation about performing audits:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding audits:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Lista de verificación
Mi respuesta:
Se pueden establecer 13 pasos necesarios para asegurar que no olvidamos nada durante la implementación y preparación para la certificación:
1) Obtener el apoyo de la dirección
2) Identificar los requerimientos
3) Definir el alcance
4) Definir los procesos y los procedimientos
5) Implementar los procesos y los procedimientos
6) Programas de formación y de concienciación
7) Elegir una entidad certificadora
8) Operar el SGC/Medir el sistema
9) Realizar las auditorias internas
10) Realizar la revisión por la dirección
11) Corrective Action Acciones correctivas
12) Fase 1 de la auditoria de certificación
13) Fase 2 de la auditoria de certificación
Para más información, vea(disponible en inglés): https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/#
Además puedes descargar "lista de verificación de la documentación requerida obligatoria por la ISO 9001:2015 : https://info.advisera.com/9001academy/es/descarga-gratuita/lista-de-verificacion-de-la-documentacion-requerida-obligatoria-por-iso-90012015
These materials will also help you regarding the ISO 9001 implementation:Estos materiales te ayudarán además con la implementación de ISO 9001:
- Libro "Preparación para el proyecto de implementación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/
- Formación gratuita en línea: Curso de Fundamentos de ISO 9001 https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Conformio (herramienta en línea ISO 9001): https://advisera.com/conformio/ -
QMS process interaction map
Although I do not have the details of your process interaction map, the AS9100 standard has a specific statement about the QMS processes. Documented information is to be maintained that includes: "a description of the processes needed for the QMS and their application throughout the organisation". So you do not just need the process interaction map (this only lists the processes and shows their application), but what might be missing is the description of the processes. This could be done with references to process documents that you have, but if no documents were created (because you do not need to have documented procedures) then there needs to be another way to describe the processes needed.
For your second question, the statement "no mandatory documents are require d" is a statement about the standard. There are no listed mandatory documented procedures in the standard, although you do need to maintain some processes as documented information (in particular non-conforming outputs and corrective action). The main question for creating additional documented procedures is "If I don't have a documented procedure for this can I have a non-conformity?" If the answer is yes, then you need to have a documented procedure. For some more information on the mandatory documentation needed by AS9100 take a look at this whitepaper:
https://info.advisera.com/9100academy/free-download/as9100-rev-d-list-of-mandatory-documents -
Becoming a consultant and internal auditor
There are no requirements for consultants, if you are able to implement the standard and make the company pass the certification audit, that is all the organization needs from you. There are some courses like Lead Implementer, but I'm not sure if they will really help you. Lead Auditor course you've passed is sufficient to get you familiar with requirements of the standard and now you need to figure out how to implement those requirements. The good start is to see how the standard is implemented in some company and start from there. For more information, see How to become an ISO 9001 consultant https://advisera.com/9001academy/blog/2016/11/15/how-to-become-an-iso-9001-consultant/
I want to know the basic prerequisite for becoming an Internal Auditor. Please respond with the required items that need to be acquired such as training, certificates, experience etc.
the standard does not have requireme nts in terms of competence for internal auditors, but usually they need to be familiar with requirements of the standard and the processes within the company. It can be beneficial for internal auditors to pass either Lead Auditor or Internal Auditor course to get familiar with requirements of the standard and the auditing techniques. Here you can find our free to attend ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/
Another thing is, how to select a team of Internal Auditor for ISO 9001:2015 in an organization??? And if there is already a team of Internal Auditor for ISO 9001:2008 then how to transit them to ISO 9001:2015 and what are the prerequisites???
THe best way to pick people for the internal auditor team is to select one person from each process and they should audit each other's work, and this is only in case when the organization doesn't have quality department. If it does, then the team should be comprised from people from the quality department. For auditors that are already familiar with 2008 revision of the standrad, the best option is to get familiar with new requirements and they are ready to get back to the auditing. They do not have to go through new internal auditor training, it is sufficient to attend some training on the new requirements of the standard. Here you can find our ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/