Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Transition and Objectives & Quality Policy
Answer:
Normally, during transition from ISO 9001:2008 to 2015 there is no need to change objectives and policy. Nevertheless, I would recommend you check if the quality policy is appropriated to the context and is aligned with the strategic direction. Concerning the objectives, I would recommend you check if the there is a need to consider statutory or regulatory requirements. And don’t forget the requirements of planning how to meet those objectives.
The following material will provide you details with objectives and quality policy:
Article - How to Write Good Quality Objectives
- https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
Article - Aligning quality objectives of the QMS with the strategic direction of the company
- https://advisera.com/9001academy/blog/2017/03/07/aligning-quality-objectives-of-the-qms-with-the-strategic-direction-of-the-company/
Article - How to make the transition from ISO 9001:2008 revision to the 2015 revision
- https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/
White paper - Twelve-step transition process from ISO 9001:2008 to the 2015 revision - https://info.advisera.com/9001academy/free-download/twelve-step-transition-process-from-iso-90012008-to-the-2015-revision
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ -
Requirements of ISO 27001 to be implemented by the CSP
Answer: You need to implement all the requirements from ISO 27001 clauses 4 to 10, and applicable controls from the Annex A, based on the results of the risk assessment. The standard doesn't specify precisely what the cloud service provider will need to implement - this is something you have to define based on the results of the risk assessment, and require those security controls through the agreement with this provider - the fact that they are already certified doesn't change anything in this approach.
These materials will help you:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- Clause-by-clause explanation of ISO 27001 https://advisera.com/27001academy/free-downloads
2 - Also, we host PII information in the cloud. Do we need to comply against any specific ISO standards in addition to 27001? Appreciate your inputs.
Answer: There is no requirement to comply to any other ISO standard. However, if you want, you can implement ISO 27018 which describes protection of PII in the cloud. See this article: ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
QS 9000 APQP and PDCA in ISO 9001
Answer:
QS 9000 is old version of the quality system requirements related specifically to the automotive industry and is replaced by TS 16949 and later with IATF 16949. Advanced product quality planning (or APQP) is a framework of procedures and techniques used to develop products in industry, particularly the automotive industry.
PDCA (Plan Do Check Act) cycle is a repetitive four-stage model for continuous improvement in business process management and it is integral part of not only ISO 9001 but many other management system standards, such as IATF 16949, ISO 14001, ISO 27001 and many others.
PDCA and APQP are completely different when it comes to their purpose and nature and they are really hard to compare in any way.
For more information, see:
- Establishing Advanced Product Quality Planning (APQP) in IATF 16949 https://advisera.com/16949academy/blog/2017/09/13/establishing-advanced-product-quality-planning-apqp-in-iatf-16949/ duct-quality-planning-apqp-in-iatf-16949/
- How to implement the PDCA cycle in the automotive industry according to IATF 16949 https://advisera.com/16949academy/blog/2017/06/07/how-to-implement-the-pdca-cycle-in-the-automotive-industry-according-to-iatf-16949/ -
Maintaining ISO 9001 and TS 16949
Answer:
Having TS 16949 implies that you have ISO 9001:2008 since TS 16949 is based on ISO 9001 and includes all its requirements plus automotive industry specific requirements. Many certification bodies issue both ISO 9001 and TS 16949 certificates once you pass TS 16949 certification audit.
Both ISO 9001 and TS 16949 have new versions published in last two years and organizations that want to maintain their certificates must conduct the transition of their QMS (Quality Management System) to maintain compliance with the standards and keep their certificates.
For more information, see: 12 steps to make the transition from ISO/TS 16949:2009 to IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/12-steps-to-make-the-transition-from-isots-16949-2009-to-iatf-16949-2016/ -
Risk assessment approaches
Answer: Yes, your organization can change its risk assessment approach any time it seems appropriate, but you should ensure this change is properly approved and recorded, and that the new approach is documented (as required by standard's clause 6.1.2) and well integrated to the other activities in the risk management process (e.g., with the risk treatment plan).
These articles will provide you further explanation about risk assessment and treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
These materials will also help you regarding risk assessment and treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Internal audit client
Answer: Since you are performing an internal audit, you should report to the person that requested the internal audit, i.e., the head of the IT department. There is no need to report to the certification body at the moment of the audit realization (but you should note that during regular certification audits an auditor can ask for information about this particular internal audit)
This article will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plai n-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Risk assessment participants
Answer: The risk assessment must be performed by all organization units involved with the ISMS scope (good practice would be the risk assessment being performed by one person from each department), either all together in a single process or in separated processes that will be consolidated later (this will depend on the size of the scope, its complexity, number of people involved, etc.). Regardless of the approach, you should consider the participation of the Information Security Manager, or someone with knowledge on the risk assessment process, to act as facilitator, supporting the organization units personnel to identify, analyse and evaluate the risks concerning their activities.
This article will provide you further explanation about the risk assessment process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding the risk assessment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Selecting qualified ISO 27001 certification auditors
We’ve not done ISO 27001 before, therefore how can we find out if they are qualified to audit us and apply for certification?
Basically, does an ISO auditor need certain qualification? And how clients know the validity of the ISO 27001 certificate issued by them?
Answer: To obtain an ISO 27001 certification an organization must be audited by auditors from accredited certification bodies, which are organizations that are compliant with the ISO 17021 standard (Requirements for bodies providing audit and certification of management systems). So, no single auditor can certify an organization regarding ISO management systems. To verify if an organization is accredited to certify ISO 27001 management systems you should verify with the accreditation body in your country or in the country where the certification body has its headquarter.
Regarding qualifications, yes, an ISO 27001 certification auditor must have certain qualification, both related to ISO management system and specificities of market indus tries.
These articles will provide you further explanation about accreditation and certification:
- Accreditation vs. certification vs. registration in the ISO world https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
These materials will also help you regarding the certification process:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- Free webinar – ISO 27001/ISO 22301: The certification process https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
Conceptos y principios del SGC
La norma ISO 9001 es un estándar que establece los requisitos de un sistema de gestión de calidad. Ayuda a los negocios y las organizaciones a ser más eficientes y a mejorar la satisfacción del cliente.
La ISO 9001 se construye sobre siete principios de gestión de calidad. Seguir estos principios asegurará que la organización o el negocio se estructura de manera que cree valores sistemáticamente para sus clientes
1. Orientación al cliente. Cumplir con las necesidades del cliente es el objetivo principal del SGC y contribuirá a largo plazo al éxito de la compañía.
2. Liderazgo. Tener una única dirección o misión que viene de un liderazgo fuerte es esencial para asegurar que todo el mundo dentro de la organización entiende que es lo que se trata de alcanzar.
3. Implicación de los empleados. Crear valores para los clientes será más fácil si la organización es competente, está capacitada y comprometida a todos los niveles del negocio u organización.
4. Enfoque de procesos. Entender las actividades como procesos que se relacionan entre sí y funcionan como un sistema que ayuda a alcanzar resultados más coherentes y predecibles.
5. Mejora. La organizaciones de éxito tienen el objetivo de la mejora. La reacción a los cambios tanto internos como externos es necesario si se quiere continuar ofreciendo algo valioso a los clientes.
6. Toma de decisiones basadas en evidencias. La toma de decisiones nunca es fácil e implica un grado de incertidumbre, sin embargo asegurar que las decisiones están basadas en el análisis y la evolución de los datos llevará más probablemente a un resultado deseado.
7. Gestión de relaciones. La identificación de las relaciones importantes que se tienen con las partes interesadas, como la relación con los proveedores, así como establecer un plan para gestionarlos, dará como resultado el éxito mantenido en el tiempo.
Para más información, vea este artículo (en inglés): https://advisera.com/9001academy/blog/2014/02/04/seven-quality-management-principles-behind-iso9001-requirements/#
Los siguientes materiales le ayudarán con los sistemas de gestión ISO:
- Libro “Gestión de documentación ISO: una guía en un lenguaje sencillo”: https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/
- Capacitación gratuita en línea: “Curso de fundamentos ISO 9001”: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Conformio (herramienta en línea para ISO 9001): https://advisera.com/conformio/ -
Manual de calidad y proveedores externos
La norma no requiere ya un manual de calidad, pero si decidiera la organización escribirlo, entonces lo podría hacer de la manera que encuentre más adecuada para la compañia. Una de los enfoques más comunes es hacerlo siguiendo las cláusulas del estándar.
La externalización de un proceso que necesita la organización estará sujeto normalmente a los requisitos de las cláusulas 8.4 (control de proveedores externos) y la cláusula 4.4 (SGC y sus procesos). Luego la organización tiene que asegurarse que los controles propuestos para el proveedor del proceso subcontratado son claramente definidos y adecuados.
Para más información sobre cómo escribir un manual de calidad, puedes ver: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/escribir-un-breve-manual-de- calidad/
Para más información sobre subcontratación de proveedores, vea (en inglés): https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/#
Los siguientes materiales le ayudarán con los sistemas de gestión ISO:
- Libro “Gestión de documentación ISO: una guía en un lenguaje sencillo”: https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/
- Capacitación gratuita en línea: “Curso de fundamentos ISO 9001”: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Conformio (herramienta en línea para ISO 9001): https://advisera.com/conformio/