Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Key performance indicators
Answer:
Without any previous experience of working with such a specific organization as a maritime training institution like yours, I would consider your relevant interested parties (clause 4.2) as a starting point: to whom do your organization works? It works for the government, it works for seafarers, and it works for seafarers employers, and it needs trainers.
For each interested party can you determine one or more goals that can measure performance against one or more of their relevant requirements? For example, the government can appreciate the number of seafarers trained and the meeting of the financial budget. Seafarers can appreciate good teachers and recognition of the school from the would-be employers. Seafarers employers can appreciate the quality of your students. Teachers can appreciate the quality of incoming students, school working environment and materials available.
These materials will provide you details with performance indicators:
• article - How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• article - Monitoring and Measurement: The basis for evidence-based decisions https://advisera.com/9001academy/blog/2020/09/21/how-to-perform-monitoring-and-measurement-according-to-iso-9001/
• - free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ -
Changes and relation to DR plan
Answer:
In order to avoid that changes have negative impact on Disaster Recovery (DR), Change Management process should be set in following way:
1. Changes that affect DR should not be authorized without involvement of DR Manager (or, according to ITIL, IT Service Continuity Manager). How to do that - since e.g. minor changes are authorized by Change Manager, he should be involved in DR plan and concept (or, environment, as stated in the question).
2. IT Service Continuity Manager (ITSCM) should be member of the Change Advisory Board (CAB). In such way, it will be ensured that no significant changes are authorized without approval from ITSCM i.e. DR.
To learn more, see the articles:
"Change Advisory Board in ITIL – advise, approve or what?" https://advisera.com/20000academy/knowledgebase/change-advisory-board-itil-advise-approve/
"IT Ser vice Continuity Plan – Why do you need it?" https://advisera.com/20000academy/blog/2017/05/02/it-service-continuity-plan-why-do-you-need-it/ -
Controls implementation
While we think this is a good recommendation and would like to implement it later, we would like to defer it during our Stage 1 and Stage 2 audits. The reason not to implement it initially is the time to get all departments on board with this and all documents updated is going to be a huge effort and the 4th quarter is a stressful time of the year for our business. Our stage 1 audit is the end of November.
Will we get a non-conformity, especially a major one, if we elect not to incorporate this in our SOA for the aforementioned reason?
Answer: You can leave some of the controls for the implementation for after the auditing under the following conditions:
1) That you have implemented before the audit the controls that mitigate the biggest risks – in other words, you can leave only less important controls for after the audit
2) That yo u have specified the deadlines for the controls that you will be implementing after the audit in your Risk Treatment Plan – of course, those deadlines must be after the audit date
3) That your risk owners or top management accept all the risks for which controls have not been implemented before the audit
This means that the most important controls must have ”implemented“ status at the audit, while the less important controls can have status ”planned“ or ”partially implemented“ at the moment of the audit. Of course that for controls with status of ”partially implemented” you have to keep evidences of activities already performed regarding the implementation (the auditor won't audit the control, but he will verify if the implementation plan is being executed).
This material will also help you regarding controls implementation:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/ -
Risk Mitigation Options
We received this question:
I tried to find the paragraph in ISO 27001, but cant find it there – can you include that in the web-answer?
Answer: Sorry by this confusion. I understand now that you are referring to ISO 27001 content, and not to ours toolkit's content.
In fact, ISO 27001 does not define risk treatment options, it only requires that the organization selects appropriate options taking into account the risk assessment results (clause 6.1.3 a)). The standard was designed this way so the organization can have flexibility to choose the options more relevant to its context.
However, the standard includes a note informing that its information security risk assessment and treatment process is aligned with ISO 31000, the ISO standard for risk management. In that standard you can find information about risk treatment options (on section 5.5.1), as well as on the standard ISO 27005 (Information security risk management), on section 9.
The 4 risk treatment o ptions in our toolkit are part of suggested options in ISO 31000 and ISO 27005, and they are the most commonly used. You can see details about them in the article I mentioned in my previous response. -
ISO 27001 requirements
Answer: ISO 27001 requires only that physical areas and equipment are protected against unauthorized physical access, damage, loss and interference, providing general controls to be fulfilled for each issue (e.g., security perimeter, equipment maintenance, entry controls, etc.). This standard does not provide details on how this should be done (e.g., type of technology, quantities, etc.). For more detailed orientation you should consider ISO 27002, which provides guidelines for the implementation of controls from ISO 27001.
These articles will provide you further explanation about ISO 27001 and ISO 27002 and physical controls:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
- How to implement equipment physical protection accordi ng to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
- Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
These materials will also help you regarding ISO 27001 and ISO 27002:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO standards for public sector
Answer:
There are numerous ISO standards that can be implemented in public sector, but most commonly implemented are ISO 9001, ISO 14001, OHSAS 18001 and ISO 27001. There are also a lot of supporting standards, that are not meant for certification but provide guideline for implementing above mentioned standards, like ISO 18091.
For more information see:
- What is ISO 9001? https://advisera.com/9001academy/what-is-iso-9001/
- What is ISO 14001? https://advisera.com/14001academy/what-is-iso-14001/
- What is OHSAS 18001? https://advisera.com/18001academy/what-is-iso-18001/
- What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/ -
Effectiveness of a QMS
Answer:
Management review meetings are a good moment to evaluate the effectiveness of a QMS by analyzing to what extent quality objectives have been met. Organizations should not use a cookie-cutter approach to define key performance indicators (KPI). What is suitable for an organization with a strategic orientation is not advisable for another one, even in the same economic sector, with a different strategic orientation. For example, if your organization competes on price its KPI are about efficiency and volume. In that case you can use indicators like:
• Rate of complains
• Quality costs
• Capacity utilization
• Suppliers performance
• Production uptime
• Rate of late delivery dates
But if your organization competes on innovation its KPI could be about:
• Rate of complains
• Number of new products launched
• Sales of new products
• Margins of new products
• Number of new patents
These materials will provide you details with evaluation criteria and performance indicators:
• article - How to Make Management Review More Practical - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/
• article - How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• article - Monitoring and Measurement: The basis for evidence-based decisions https://advisera.com/9001academy/blog/2020/09/21/how-to-perform-monitoring-and-measurement-according-to-iso-9001/
• - free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ -
Product safety requirements when there are no such requirements
Dear Norma,
You need to define process for product safety and apply it to all your products, the product safety cannot be arbitrarily applied to some products and not to others.
Best regards,
Strahinja -
List of external documents and Quality Manual
1. Clarification on the incoming document register and the list of external documents
a. I cannot identify any external documents that we would list in this record?
b. Should the incoming document register only apply to the documents identified in the list of external documents?
List of external documents should contain all external documents related to the QMS, for example the standard, the documentation provided by the certification body or customer that want to perform 2nd party audit of your company, etc.
2. I have read through the list of tasks in the project but cannot see where the quality manual is created?
a. Apologies if I have just missed this but if you could point me to it or explain where in the process it is created that would be great
There is no particular task for writing the quality manual in the Conformio Step-b y-Step guidance for ISO 9001 implementation simply because it is not a mandatory document and some companies may decide not to write that document at all. I would suggest you to write the manual at the end when you finish all the documents, so you will know exactly what information should be a part of it. For example, you might miss to write something in the procedure, or it doesn't fit, so you can put it in the manual. -
Emergency vs Disaster Management
Answer:
Emergency management (or disaster management) is the organization and management of resources and responsibilities for dealing with all aspects of emergencies—preparedness, response, and recovery—in order to reduce the harmful effects of all hazards, including disasters.
There are no differences between these two. In both cases you need to identify potential emergency or disaster and define actions that will be taken in case if the emergency or disaster occur.
For more information, see: How to satisfy emergency response requirements in ISO 14001:2015 https://advisera.com/14001academy/blog/2015/10/19/how-to-satisfy-emergency-response-requirements-in-iso-140012015/