Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11275 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Auditing finance department

Answer:

Since the standard doesn't have any requirements regarding accounting and finance, the only way of auditing them is against the organization internal procedures regarding accounting and finance. Department of finance and accounting is often left out from the scope of the QMS, simply because it is perceived that these processes do not affect quality of the product and service and customer satisfaction. In the same way they can be left out from the scope of ISO 9001 internal audit.

For more information, see: ISO 9001 – How to prepare for an internal audit https://advisera.com/9001academy/blog/2017/09/26/iso-9001-how-to-prepare-for-an-internal-audit/

These materials will also help you regarding internal audit:
- Book ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/
Verification of internal auditors for IATF 16949

Answer:

In order to verify the internal auditors, they need to demonstrate competences for:
- understanding process approach and risk-based thinking
- understanding of customer specific requirements
- understanding of applicable ISO 9001 and IATF 16949 requirements
- understanding of the core tools, and
- understanding of the auditing techniques.

In order to demonstrate this, the auditors should provide some evidence in terms of experience and training they had on these topics. The training can be conducted by the organization itself, or by some external trainers. Basically, the training records can be sufficient to demonstrate competence. Also, all auditors need to be listed in a record about qualified internal auditors.

For more information, see: How to ensure competence of your employees according to IATF 16949 https://advisera.com/16949academy/blog/2017/10/04/how-to-ensure-competence-of-your-employees-according-to-iatf-16949/
Implementation of control A.18.2.2

Challenge here is that the "line managers" are usually not in a position to review information security ... so to fulfil this what would they actually need to prove/review? The standard does say "review IS processing in their area [...] with appropriate security policies, standards and any other security requirements".

Actually this could be read that, let´s say the production manager has to make sure that OHAS, 9001 etc are correctly followed - so the fulfillment of A18.2.2 is rather an issue outside 27k (and would not require a special Risk Assessment for this)

Answer: The main objective of the section A.18.2 is "to ensure that information security is implemented and operated in accordance with the organizational policies and procedures", so I wouldn't agree with your interpretation that "production manager has to make sure that OHAS, 9001 etc are correctly followed" is related to A18.2.2 because this control speaks about information security implementation, not about quality management o r health & safety.

Considering that, to fulfil control A.18.2.2 managers must define how this will be done. The most common approaches are:

- through review of internal audits results
- through results provided by monitoring and measurement tools
- through the evaluation of the results achieved against security objectives and security performance indicators

Additionally, the managers also must define how eventual non conformities identified will be handled.

This article will provide you further explanation about controls monitoring:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
Transition and Objectives & Quality Policy

Answer:

Normally, during transition from ISO 9001:2008 to 2015 there is no need to change objectives and policy. Nevertheless, I would recommend you check if the quality policy is appropriated to the context and is aligned with the strategic direction. Concerning the objectives, I would recommend you check if the there is a need to consider statutory or regulatory requirements. And don’t forget the requirements of planning how to meet those objectives.

The following material will provide you details with objectives and quality policy:

Article - How to Write Good Quality Objectives
- https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/

Article - Aligning quality objectives of the QMS with the strategic direction of the company
- https://advisera.com/9001academy/blog/2017/03/07/aligning-quality-objectives-of-the-qms-with-the-strategic-direction-of-the-company/
Article - How to make the transition from ISO 9001:2008 revision to the 2015 revision
- https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/
White paper - Twelve-step transition process from ISO 9001:2008 to the 2015 revision - https://info.advisera.com/9001academy/free-download/twelve-step-transition-process-from-iso-90012008-to-the-2015-revision
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
Requirements of ISO 27001 to be implemented by the CSP

Answer: You need to implement all the requirements from ISO 27001 clauses 4 to 10, and applicable controls from the Annex A, based on the results of the risk assessment. The standard doesn't specify precisely what the cloud service provider will need to implement - this is something you have to define based on the results of the risk assessment, and require those security controls through the agreement with this provider - the fact that they are already certified doesn't change anything in this approach.

These materials will help you:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- Clause-by-clause explanation of ISO 27001 https://advisera.com/27001academy/free-downloads

2 - Also, we host PII information in the cloud. Do we need to comply against any specific ISO standards in addition to 27001? Appreciate your inputs.

Answer: There is no requirement to comply to any other ISO standard. However, if you want, you can implement ISO 27018 which describes protection of PII in the cloud. See this article: ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
QS 9000 APQP and PDCA in ISO 9001

Answer:

QS 9000 is old version of the quality system requirements related specifically to the automotive industry and is replaced by TS 16949 and later with IATF 16949. Advanced product quality planning (or APQP) is a framework of procedures and techniques used to develop products in industry, particularly the automotive industry.

PDCA (Plan Do Check Act) cycle is a repetitive four-stage model for continuous improvement in business process management and it is integral part of not only ISO 9001 but many other management system standards, such as IATF 16949, ISO 14001, ISO 27001 and many others.

PDCA and APQP are completely different when it comes to their purpose and nature and they are really hard to compare in any way.

For more information, see:
- Establishing Advanced Product Quality Planning (APQP) in IATF 16949 https://advisera.com/16949academy/blog/2017/09/13/establishing-advanced-product-quality-planning-apqp-in-iatf-16949/ duct-quality-planning-apqp-in-iatf-16949/
- How to implement the PDCA cycle in the automotive industry according to IATF 16949 https://advisera.com/16949academy/blog/2017/06/07/how-to-implement-the-pdca-cycle-in-the-automotive-industry-according-to-iatf-16949/
Maintaining ISO 9001 and TS 16949

Answer:

Having TS 16949 implies that you have ISO 9001:2008 since TS 16949 is based on ISO 9001 and includes all its requirements plus automotive industry specific requirements. Many certification bodies issue both ISO 9001 and TS 16949 certificates once you pass TS 16949 certification audit.

Both ISO 9001 and TS 16949 have new versions published in last two years and organizations that want to maintain their certificates must conduct the transition of their QMS (Quality Management System) to maintain compliance with the standards and keep their certificates.

For more information, see: 12 steps to make the transition from ISO/TS 16949:2009 to IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/12-steps-to-make-the-transition-from-isots-16949-2009-to-iatf-16949-2016/
Risk assessment approaches

Answer: Yes, your organization can change its risk assessment approach any time it seems appropriate, but you should ensure this change is properly approved and recorded, and that the new approach is documented (as required by standard's clause 6.1.2) and well integrated to the other activities in the risk management process (e.g., with the risk treatment plan).

These articles will provide you further explanation about risk assessment and treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

These materials will also help you regarding risk assessment and treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Internal audit client

Answer: Since you are performing an internal audit, you should report to the person that requested the internal audit, i.e., the head of the IT department. There is no need to report to the certification body at the moment of the audit realization (but you should note that during regular certification audits an auditor can ask for information about this particular internal audit)

This article will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plai n-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
Risk assessment participants

Answer: The risk assessment must be performed by all organization units involved with the ISMS scope (good practice would be the risk assessment being performed by one person from each department), either all together in a single process or in separated processes that will be consolidated later (this will depend on the size of the scope, its complexity, number of people involved, etc.). Regardless of the approach, you should consider the participation of the Information Security Manager, or someone with knowledge on the risk assessment process, to act as facilitator, supporting the organization units personnel to identify, analyse and evaluate the risks concerning their activities.

This article will provide you further explanation about the risk assessment process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding the risk assessment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11275 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Auditing finance department

Verification of internal auditors for IATF 16949

Implementation of control A.18.2.2

Transition and Objectives & Quality Policy

Requirements of ISO 27001 to be implemented by the CSP

QS 9000 APQP and PDCA in ISO 9001

Maintaining ISO 9001 and TS 16949

Risk assessment approaches

Internal audit client

Risk assessment participants

Didn’t find an answer?