Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Controls implementation
While we think this is a good recommendation and would like to implement it later, we would like to defer it during our Stage 1 and Stage 2 audits. The reason not to implement it initially is the time to get all departments on board with this and all documents updated is going to be a huge effort and the 4th quarter is a stressful time of the year for our business. Our stage 1 audit is the end of November.
Will we get a non-conformity, especially a major one, if we elect not to incorporate this in our SOA for the aforementioned reason?
Answer: You can leave some of the controls for the implementation for after the auditing under the following conditions:
1) That you have implemented before the audit the controls that mitigate the biggest risks – in other words, you can leave only less important controls for after the audit
2) That yo u have specified the deadlines for the controls that you will be implementing after the audit in your Risk Treatment Plan – of course, those deadlines must be after the audit date
3) That your risk owners or top management accept all the risks for which controls have not been implemented before the audit
This means that the most important controls must have ”implemented“ status at the audit, while the less important controls can have status ”planned“ or ”partially implemented“ at the moment of the audit. Of course that for controls with status of ”partially implemented” you have to keep evidences of activities already performed regarding the implementation (the auditor won't audit the control, but he will verify if the implementation plan is being executed).
This material will also help you regarding controls implementation:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/ -
Risk Mitigation Options
We received this question:
I tried to find the paragraph in ISO 27001, but cant find it there – can you include that in the web-answer?
Answer: Sorry by this confusion. I understand now that you are referring to ISO 27001 content, and not to ours toolkit's content.
In fact, ISO 27001 does not define risk treatment options, it only requires that the organization selects appropriate options taking into account the risk assessment results (clause 6.1.3 a)). The standard was designed this way so the organization can have flexibility to choose the options more relevant to its context.
However, the standard includes a note informing that its information security risk assessment and treatment process is aligned with ISO 31000, the ISO standard for risk management. In that standard you can find information about risk treatment options (on section 5.5.1), as well as on the standard ISO 27005 (Information security risk management), on section 9.
The 4 risk treatment o ptions in our toolkit are part of suggested options in ISO 31000 and ISO 27005, and they are the most commonly used. You can see details about them in the article I mentioned in my previous response. -
ISO 27001 requirements
Answer: ISO 27001 requires only that physical areas and equipment are protected against unauthorized physical access, damage, loss and interference, providing general controls to be fulfilled for each issue (e.g., security perimeter, equipment maintenance, entry controls, etc.). This standard does not provide details on how this should be done (e.g., type of technology, quantities, etc.). For more detailed orientation you should consider ISO 27002, which provides guidelines for the implementation of controls from ISO 27001.
These articles will provide you further explanation about ISO 27001 and ISO 27002 and physical controls:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
- How to implement equipment physical protection accordi ng to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
- Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
These materials will also help you regarding ISO 27001 and ISO 27002:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO standards for public sector
Answer:
There are numerous ISO standards that can be implemented in public sector, but most commonly implemented are ISO 9001, ISO 14001, OHSAS 18001 and ISO 27001. There are also a lot of supporting standards, that are not meant for certification but provide guideline for implementing above mentioned standards, like ISO 18091.
For more information see:
- What is ISO 9001? https://advisera.com/9001academy/what-is-iso-9001/
- What is ISO 14001? https://advisera.com/14001academy/what-is-iso-14001/
- What is OHSAS 18001? https://advisera.com/18001academy/what-is-iso-18001/
- What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/ -
Effectiveness of a QMS
Answer:
Management review meetings are a good moment to evaluate the effectiveness of a QMS by analyzing to what extent quality objectives have been met. Organizations should not use a cookie-cutter approach to define key performance indicators (KPI). What is suitable for an organization with a strategic orientation is not advisable for another one, even in the same economic sector, with a different strategic orientation. For example, if your organization competes on price its KPI are about efficiency and volume. In that case you can use indicators like:
• Rate of complains
• Quality costs
• Capacity utilization
• Suppliers performance
• Production uptime
• Rate of late delivery dates
But if your organization competes on innovation its KPI could be about:
• Rate of complains
• Number of new products launched
• Sales of new products
• Margins of new products
• Number of new patents
These materials will provide you details with evaluation criteria and performance indicators:
• article - How to Make Management Review More Practical - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/
• article - How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• article - Monitoring and Measurement: The basis for evidence-based decisions https://advisera.com/9001academy/blog/2020/09/21/how-to-perform-monitoring-and-measurement-according-to-iso-9001/
• - free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ -
Product safety requirements when there are no such requirements
Dear Norma,
You need to define process for product safety and apply it to all your products, the product safety cannot be arbitrarily applied to some products and not to others.
Best regards,
Strahinja -
List of external documents and Quality Manual
1. Clarification on the incoming document register and the list of external documents
a. I cannot identify any external documents that we would list in this record?
b. Should the incoming document register only apply to the documents identified in the list of external documents?
List of external documents should contain all external documents related to the QMS, for example the standard, the documentation provided by the certification body or customer that want to perform 2nd party audit of your company, etc.
2. I have read through the list of tasks in the project but cannot see where the quality manual is created?
a. Apologies if I have just missed this but if you could point me to it or explain where in the process it is created that would be great
There is no particular task for writing the quality manual in the Conformio Step-b y-Step guidance for ISO 9001 implementation simply because it is not a mandatory document and some companies may decide not to write that document at all. I would suggest you to write the manual at the end when you finish all the documents, so you will know exactly what information should be a part of it. For example, you might miss to write something in the procedure, or it doesn't fit, so you can put it in the manual. -
Emergency vs Disaster Management
Answer:
Emergency management (or disaster management) is the organization and management of resources and responsibilities for dealing with all aspects of emergencies—preparedness, response, and recovery—in order to reduce the harmful effects of all hazards, including disasters.
There are no differences between these two. In both cases you need to identify potential emergency or disaster and define actions that will be taken in case if the emergency or disaster occur.
For more information, see: How to satisfy emergency response requirements in ISO 14001:2015 https://advisera.com/14001academy/blog/2015/10/19/how-to-satisfy-emergency-response-requirements-in-iso-140012015/ -
Defining severity and probability
Answer:
The way of calculating risks, or severity and probability of the risk depends on the methodology you use. Since most of the methodologies are semi-quantitative (they use numbers to express the value but it is not expressed in some measuring units), the key is to ensure repeatability, meaning that the methodology enables different persons to come up with same results.
To achieve this, you need to determine criteria by which you will determine probability or severity on the predefined scale (e.g. from 1 to 5). For example, if something happens every day, it has high probability and is marked with 5, if something happens once in ten years it has low probability and is marked with 1. The same should be done for the severity, you make the scale and define when each value in the scale will be assigned.
Once you define the severity an probability criteria, you need to decide how to calculate the risk, whether by subtraction or multiplication. For example, if we take that risk is calculated as severity + probability and we take our scales from 1 to 5, the maximum risk can be 10 and the lowest risk can be 2. On this range of scale, you need to define what risk level is acceptable and what risks need to be addressed. For example, risks lower than 6 are insignificant and wont be analyzed any further.
For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Roles and responsibilities
Really,i m seeing your articles very interesting as i did follow the 12 steps that one need for the OHSAS 18001 ;In the roles,responsibilities&authorities,how do you do ? YOU need to assign the roles to people whom to participate to the implementing of the policy ?And give them responsibilities to do means there job description and authority must be the management to also have a duty to do ?accepting the resolutions ?
Best regards
Answer:
OHSAS 18001 requires organization to assign roles and responsibilities for:
a) Ensuring that the OH&S management system is established, implemented and maintained in accordance with this OHSAS Standard;
b) Ensuring that reports on the performance of the OH&S management system are presented to top management for review and used as a basis for improvement of the OH&S management system.
Basically you need to assign responsibility to someone (or a group of people) in your organization for compliance with the standard and reporting on the performance of your Occupational Health and Safety Management System (OH&SMS). This person is management representative and should be part of the top management. He or she should coordinate internal audits and other activities regarding the OH&SMS and report to the top management.
For more information, see: Which roles and responsibilities should exist in the OH&SMS according to OHSAS 18001? https://advisera.com/18001academy/blog/2016/01/13/which-roles-and-responsibilities-should-exist-in-the-ohsms-according-to-ohsas-18001/