Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 9001, CMMI and ISO 27001
Both CMMI and ISO 9001 aim at improving process quality. The fundamental difference between CMMI vs ISO 9001 is conceptual. CMMI is a process model and ISO 9001 is an audit standard.
CMMI is a set of related "best practices" derived from industry leaders and relates to product engineering and software development. Businesses receive CMMI ratings from Level 1 to Level 5 depending upon the extent of compliance to key performance areas specified in the selected CMMI process area.
ISO 9001 is a certification tool that certifies businesses whose processes conform to the laid down standards. Implementing ISO 9001 doesn't mean that you are compliant with CMMI, although it can be a good foundation for implementing CMMI.
What is your advice on implementing an enterprise quality assurance framework, in a nut shell? Does it sound correct, if I propose that use ISO 9001:2015 as overarching quality assura nce framework, where apply ISO 27001 for its information security?
ISO 9001 and ISO 27001 have their own purposes, ISO 9001 deals with quality while ISO 27001 is focusing on information security. They are complementary and can be implemented and maintained together as an integrated management system. For more information, see: How to integrate ISO 9001 and ISO 27001 https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/ -
Exclusions and ISO 9001:2015
Answer:
If the component is manufactured by your company it must be designed and the production process developed. If your company only assembles it must design and develop the assembled product but not the individual components. For example, a company can manufacture an industrial equipment. Design and development applies to the equipment as an whole and to some parts developed inside the company. The equipment incorporates a standard motor that the company buys to an approved supplier. The company do not need to design and develop that motor. And if during use, due to a breakdown of the equipment, the customer t hat bought the equipment orders a new motor, it is just a commercial operation included in the after-sales service. So, in that case you can exlude design and development for those standard components.
The following material will provide you information about exclusions:
• What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
•
Specific use of ISO 9001 design and development in the machining process - https://advisera.com/9001academy/blog/2017/03/14/specific-use-of-iso-9001-design-and-development-in-the-machining-process/
• - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ -
ISO 27001 and Information Security manger
Answer: ISO 27001 does not define a role such as Information Security Manager, but authorities and responsibilities that must be fulfilled:
- ensure that the ISMS conforms to ISO 27001 standard; and
- report on the performance of the ISMS to top management
These authorities and responsibilities can be designated to the role of Information Security Manger, if it exist in the organization, or to any other role the organizations sees as appropriated.
These articles will provide you further explanation about authorities and responsibilities for the ISO 27001 ISMS:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- Role s and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
These materials will also help you regarding authorities and responsibilities for the ISO 27001 ISMS:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Procesos externalizados
Mi respuesta:
La subcontratación de un proceso que necesita la organización está sujeto a los requisitos de las cláusulas 8.4 (Control de proveedores externos) y la cláusula 4.4 (SGC y sus procesos) de la norma ISO 9001:2015.
Hay que asegurarse de incluir todos los procesos externalizados que afectan a la calidad del producto o servicio en el alcance del SGC, en este caso la empresa que realiza el proceso de selección de los empleados. Es necesario identificar, definir y demostrar evidencia de controles suficientes sobre el proveedor externo del proceso externalizado para asegurar que tal proceso es llevado a cabo según los requisitos de I SO 9001:2015. La naturaleza y alcance de tales controles van a depender de la naturaleza del proceso externalizado o subcontratado y el riesgo que ello implica. Los procesos externalizados pueden ser controlados de muchas maneras, por ejemplo, facilitando especificaciones del servicio o el manual de calidad de proveedores que deben de cumplir; pidiéndoles resultados de inspecciones o certificados de conformidad, o la validación del proceso externalizado; realizando auditorias del servicio y auditorias del SGC del subcontratista; etc.
Para más información, puede leer el artículo"Cómo controlar procesos subcontratados utilizando la ISO 9001" (en inglés): https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
Los siguientes materiales le ayudarán con los sistemas de gestión ISO:
- Libro “Preparación para el proyecto de implementación ISO: una guía en un lenguaje sencillo”: https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/
- Capacitación gratuita en línea: “Curso de fundamentos ISO 9001”: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Conformio (herramienta en línea para ISO 9001): : https://advisera.com/conformio/ -
Inventory of assets
Answer: I saw that you covered assets most related to hardware and information media. Considering the ISO 27005 standard (information security risk management), annex B (identification and valuation of assets and impact evaluation), I think you should also consider the following for assets that will need some sort of control that will be relevant for every employee:
- Specific types of information (e.g., those with high cost to produce or replace, those related to business strategy and performance, people's privacy, etc.)
- People in specific positions (e.g., decision makers, key department managers, developers, products/processes specialists, etc.)
In the Inventory of Assets template that comes with your toolkit you have a list of assets you can consider (sheet "Checklist of assets").
If you still have any doubts, included in your toolkit you can schedule a meeting with one of our experts so he can provide you additional support. To schedule a meeting you can access this link: https://advisera.com/27001academy/consultation/ -
Defining the scope of internal laboratory
Answer:
The level of details to be included in the lab scope will depend on the complexity of the measurements your lab performs. If you have fairly liberal tolerances, you can afford to generalize where others may not be able to. The topics that are usually included in the lab scope are laboratory testing and calibration methods, equipment listing, methods and standards. -
Closing meeting for internal audit
Answer:
Closing meeting is not required by the standard for internal audits and most companies don't hold it although I think it is a good idea. On the closing meeting you should present to the top management the results of the internal audit.
You can start with explaining the scope of the audit, the audit criteria, whether the audit plan was fully realized ( for example, you can tell them if there were some processes or locations that were left out from the audit and present the reasons why) and then you can present them with the audit findings (nonconformities, recommendations for improvement, etc).
For more information, see: ISO 9001 – How to prepare for an internal audit https://advisera.com/9001academy/blog/2017/09/26/iso-9001-how-to-prepare-for-an-internal-audit/
These materials will also help you regarding internal audit:
- Book Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free onli ne training ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
ISO 9001 vs IATF 16949 transition
Answer:
If you are planning to let go of IATF 16949 and want to keep only ISO 9001 certificate, then you do not have to include APQP. On the other hand, APQP is in most cases the customer requirement, so if the customer requires it, you should keep it regardless of whether you keep IATF 16949 certificate or not.
For more information, see: Establishing Advanced Product Quality Planning (APQP) in IATF 16949 https://advisera.com/16949academy/blog/2017/09/13/establishing-advanced-product-quality-planning-apqp-in-iatf-16949/ -
Documenting context of the organization
Answer:
ISO 14001 does not require context of the organization (internal and external issues) to be documented. However, if you decide to document them you can do it through some kind of record, it can be a sheet or record from the meeting on which the organization determined the context. This document can be kept separately, or can be an appendix to the manual, the document about the scope, etc.
For more information, see: Determining the context of the organization in ISO 14001 https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/
These materials will also help you regarding the documentation and the context:
- Book Managing ISO Documentation: A Plain English Guide https://advisera.com/books/iso-standard/iso-14001/
- Free online training ISO 14001:201 5 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ -
Who must perform the Risk Assessment within the Company?
The risk assessment must be performed by all organization units involved with the ISMS scope (good practice would be the risk assessment being performed by one person from each department), either all together in a single process or in separated processes that will be consolidated later (this will depend on the size of the scope, its complexity, number of people involved, etc.). Regardless of the approach, you should consider the participation of the Information Security Manager, or someone with knowledge on the risk assessment process, to act as facilitator, supporting the organization units personnel to identify, analyse and evaluate the risks concerning their activities.
This article will provide you further explanation about the risk assessment process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding the risk assessment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/