Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Management Representative: Role and responsibility
Each organization can design a particular role and responsibilities for its Management Representative, the minimum required by ISO 9001:2008 is on its clause 5.5.2. For example:
• Maintenance of the QMS – like following-up internal audits;
• Reporting on QMS performance – like communicating to top management how the performance of the system is going
• Promoting customer requirements – like communicating customer requirements inside the organization and showing how each employee contributes to their fulfillment
• Liasing with external parties like the certification body
The following material will provide you details with the role and responsibilities of the Management Representative:
Article - What is the job of the quality management representative? - https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/
Article - What will be the destiny of the management representative in the new ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ -
ISO 27001 implementation process
Answer: The first and most important step is to gain the buy in of top management to support this project, because without the top management support, in terms of capital, personnel, equipment, and authority, you will have a very difficult job to convince the organization to adopt information security practices.
This article will provide you further explanation about ISO 27001 implementation process:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
These materials will also help you regarding ISO 27001 implementation process:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Log monitoring tools
-A.12.4.1, A.12.4.3 Logs of user activities, exceptions, and security events
This mean, we are required to have a centralized log management system in place e.g. SIEM?
Answer: No. Centralized log management system is one of the solutions that you can use to fulfill these controls if they are applicable, but depending on the size, resources and requirements of your organization, you can manage the logs provided by your applications and systems in decentralized form. Additionally, you also may have situations where you do not use systems to log information, like occurrence books to record physical access.
These articles will provide you further explanation about log and monitoring controls:
- Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
This material will also help you regarding log and monitoring controls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
The procedure manual, context and interested parties
Answer:
The standard has several requirements for documented procedures but, it does not require documented procedure for each clause. For those clauses that require documented procedures, they usually define the content of the procedure and the key requirements that the procedure must cover. For more information, see: 7 steps in writing QMS policies and procedures for ISO 9001 https://advisera.com/9001academy/blog/2015/03/10/7-steps-in-writing-qms-policies-and-procedures-for-iso-9001/
As far as context of the organization is concerned, you need to gather relevant people in the organization and determine internal and external issues that affect Quality Management System. For more information, see: How to define the context of the organization in IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/how-to-define-the-context-of-the-organization-in-iatf-169492016/
Within requirements for determining context of the organization, the organization also needs to identify interested parties and their needs and expectations related to Quality Management System. For more information, see: Determining interested parties and their requirements according to IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/determining-interested-parties-and-their-requirements-according-to-iatf-16949/ -
Matrix for communication
Answer:
Matrix for communication is not really a requirement in ISO 9001, however, if you decide to make it, the best way is to create a table where in one column you will list all relevant roles in the QMS (Quality Management System) and in each row in the table will represent one responsibility for communication, for example communicating Quality Policy. Then you can put check marks to mark which role is responsible for which communication.
For more information, see: Communication requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2016/11/01/communication-requirements-according-to-iso-9001-2015/
These materials will also help you regarding communication process:
- Book Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Foundat ions Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Quality Reports
Answer:
I'm not sure what you mean by Quality Reports and what is the content of this record, but according to clause 8.6 in ISO 9001:2015 that defines requirements for production process, the organization must maintain the following documented information:
- characteristics of the product to be produced or service to be provided
- records about customer property
- production/service provision change control records
If the Quality Report serves to meet one or more of the above mentioned requirements, than it is mandatory to have it. On the other hand, if it is used to monitor or measure some of the parameters in the production process and it is mentioned in the production procedure, than it can also be considered as a mandatory document.
For more information, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/it/knowledgebase/le-cinque-fasi-principali-della-verifica-interna-iso-9001/ ist-of-mandatory-documents-required-by-iso-90012015/
These materials will also help you regarding mandatory documentation:
- Book Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Definition of security roles and responsibilities
Answer: ISO 27001 does not require to write a separate document for roles and responsibilities, that's why there is no specific template in the toolkit defining roles and responsibilities
Besides the general roles and responsibilities defined in the Information Security Policy template, all other detailed responsibilities are defined in each template every time an specific activity is required to be performed. Every time you find the field "[job title]" in a template this means that you have to define who has the responsibility to perform the activity described in the sentence. For example, in the sentence:
"[job title] must document the following in the Statement of Applicability: ...", you have to define which role in your organization has the r esponsibility to fill the Statement of Applicability.
This article will provide you further explanation about roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
By the way, with the toolkit you bought you also have the access to video tutorial that can help you fill your documentation. You can find these tutorials in Conformio, it the menu "Repository", in folder "Video tutorials" - see what you need to click here: https://www.screencast.com/t/T5rLxMgc3UJz -
SoA update
Answer: Yes. The SoA is a living document that must be updated as required to reflect the organization's approach towards information security, but you have to ensure that any modification to the SoA is justified and formally approved and recorded as defined in your document control procedure.
This material will also help you regarding documentation control:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Control of changes
Answer:
When it comes to changes in documentation, you should follow your existing procedure for document and record control. The changes you are mentioning are related to the clause 6.3 Planning of changes which refers to changes in the processes and the QMS. This clause doesn't required documented information, but it would be beneficial if you would describe in the manual how the changes in the QMS are planned and executed, but you don't have to develop any form and even if you decide to develop it, it doesn't have to cover all requirements of the clause.
For more information, see: QMS Change Management in 7 steps https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
These materials will also help you regarding planning changes:
- Book Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Defining responsibilities for ISO 9001 requirements
To be somewhat clear, every other departments (not the HR) of an organization has employees under its control. On the issue of competence Clause 7.2 of the standards it requires to retain documented information as evidence. of competence. Somebody says, I could not make that a part of my audit question since it should be the HR department who must be audited on that matter."
Answer:
There are some requirements that are specific for some processes, like clause 8.5 fro production process, or clause 8.4 for purchasing process. However, there are also requirements that should be applied throughout entire QMS (Quality Management System) such as requirements for control of documented information.
Requirements for competence can be met in different ways in different companies, for example, you can have an HR department that is responsible for the requirements (and this is more common or you can have these requirements met on the level of each department or process. Depending on who is responsible for keeping the records about the competence, you need to required them from appropriate person. If the organization has HR department, they are probably in charge of the competence records.
For more information, see: How to ensure competence and awareness in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
These materials will also help you regarding the audit:
- Book Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/