Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Cost avoidance due to ISO ISMS
Answer: Yes, there is. For ISO 27001 one good reference is the Cost of Cyber Crime Report from Ponemon Institute (https://www.ponemon.org/library/2016-cost-of-cyber-crime-study-the-risk-of-business-innovation) (specifically see page 18 - Total cost of cyber crime for low versus high security profiles), but you have to be very careful when presenting these type of data to customers, because each organization has its unique context that can affect the risks to each one that are exposed and the impacts they may suffer, so basing on an opportunity to avoid costs in data from another organization can lead to wrong conclusions. You could say that these are only examples and that specif data about the client's organization must be evaluated to provide a more precise situation.
These articles will provide you further explanation regarding ISO 27001 costs:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/ -
SOA content fields
Thank you! -
Release product and services
What auditors want to get from it?
Answer:
The standard requires from organizations to ensure that the release product is compliant with requirements. Basically, you need to conduct quality control of the product to ensure it is compliant with the product requirements and to provide evidence of compliance with acceptance criteria. This can be simple report on the final quality assurance control with the signature of the person authorizing the release of the product or service.
For more information, see: ISO 9001: Requirements for the release of the product or service https://advisera.com/9001academy/blog/2017/03/28/iso-9001-requirements-for-the-release-of-the-product-or-service/ -
Determining organizational knowledge
Answer:
In order to determine the sufficient knowledge to conduct the process, you need to define the process first. For example if you are transportation company and you use trucks, your drivers must have licence for truck drivers. The standard doesn't require organizational knowledge to be documented and you don't need the procedure, but some parts of the knowledge will be documented through the work procedures, instructions, etc.
For more information, see: How to manage knowledge of the organization according to ISO 9001 https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/ -
Documents required for total productive maintenance
Answer:
IATF 16949 requires organization to document the system for total productive maintenance. Basically, you need to document the following:
- process equipment
- resources for machine, equipment and facility maintenance
- packaging and preservation of equipment
- applicable customer requirements
- documented maintenance objectives
- use of preventive maintenance methods
- periodic overhaul
For more information about mandatory documented information in IATF 16949, see: List of mandatory documents required by IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/list-of-mandatory-documents-required-by-iatf-16949-2016/ -
IAF MD 9, ISO 13485 and ISO 9001
Answer:
There are no any restrictions on implementing ISO 13485, IAF MD 9 and ISO 9001 at the same time and integrating them into one single management system. Having integrated management system that covers several standards will decrease number of audit days compared to certifying these standards separately.
New ISO 13485 has more specific requirements regarding the design, production, sales and post delivery activities and, in my opinion it is better that the previous one. The standard is applicable to the distributors, and in some countries ISO 13485 i s a legal requirement for both manufacturers and distributes of medical devices, so if your country o customers requires it, you should implement it.
ISO 13485 is basically ISO 9001 adopted to medical device industry and I think it provides more value to medical device industry than the universal ISO 9001.
For more information, see: ISO 9001 vs. ISO 13485 https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/ -
Documentação ISO 9001:2015
A nova revisão do ISO 9001: 2015 não requer nenhum procedimento, mas alguns registros e documentos. Em vez de seis procedimentos obrigatórios, existem agora seis documentos obrigatórios que não precisam ser na forma de um procedimento. No entanto, é uma boa prática ter alguns procedimentos que o ajudarão a ajudar a organização a cumprir os requisitos do padrão.
Para obter mais informações, consulte os seguintes artigos:
- "Lista de documentos obrigatorios requeridos pela ISO 9001:2015": https://advisera.com/9001academy/pt-br/knowledgebase/lista-de-documentos-obrigatorios-requeridos-pela-iso-90012015/
- "Inforgrafico ISO 9001:2015 vs versao 2008 o que mudou": https://advisera.com/9001academy/pt-br/knowledgebase/infografico-iso-90012015-vs-versao-2008-o-que-mudou/
Esses materiais também irão ajudá-lo em relação à documen tação ISO 9001:
- Livro "Gerenciando documentação ISO" (available in English, Spanish, German and Italian): https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Treinamento on-line gratuito: "Curso de fundamentação ISO 9001" (available in English, Spanish, and Italian): https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Conformio (Ferramenta online para ISO 9001): https://advisera.com/conformio/ -
Who should be included in management review meetings
thank you sir. we are in a dilemma about this since we are still in the process of implementing ISO 9001:2015. Problem is, they have include Auditors to attend the MRM to present and clarify findings. Thus, that part of the MR Procedure authorizes the attendance of Internal Auditors. -
AS9100 Internal Audit Frequency
What is your take on the internal audit requirements for AS9100D and even ISO 9001 2015; do the entire QMS once a year OR 3-5 years cycle?"
Answer:
The internal audit process is an important tool that is used to take a close look at how your processes are working, even if you are using key performance indicators for the process to know how it is working. The internal audit takes a closer look at the details of the processes to ensure that they are adhered too, and to ensure that any corrective actions or improvement activities taken for the process are effective. So, while it is not specified in either AS9100 Rev D or ISO 9001:2015 at what frequency to perform internal audits (such as annually) it does mention that you need to plan your internal audits frequency by taking into consideration the importance of the processes, changes in the organisation and results of previous audits.
So, that being said, I would never recommend a 3 - 5 year cycle for internal audits. If you are not looking at a process for 3 yea rs how do you know if any corrective actions or improvements are effective or that changes to other parts of the organisation have not affected the process. If you found a problem in one audit how effective would it be to wait 3 years to look at that process again? Even the certification bodies have a schedule of three years where the do the entire QMS the first year, audit main processes (internal audit, management review, corrective action, etc) and some of the QMS the second year, audit the main processes and the remainder of the QMS the third year and then perform a complete QMS audit for the re-certification the following year (and starting the cycle over).
So, I am a big believer that having an annual audit schedule that includes all QMS processes, and important or problematic processes more than once if needed, so that you can gain the benefits of the audits. I also believe that this schedule needs to be maintained, meaning having an update to add a process that has changes or experienced problems. Having a cycle of 3 - 5 years before you re-audit a certain process in the QMS could lead to problems, and you will not get the biggest benefit from your internal audits. -
Determining the scope of EMS
Where do you see the place of purchase in ISO 14001? In my company this department get all the information and requirements from the development department, so I do not see a smart contribution.
Asking because of determining the scope. And purchasing in our situation is outside, on the group level.
Thank you in advance for answer
Answer:
Purchasing process is important part of the organization and clause 8.1 has significant part about the control of outsourced processes and externally provided products and services. Even if the purchasing is conducted on the higher level, the part of the organization you want to put under the EMS (Environmental Management System) scope still makes purchasing requests and it needs to define those requirements in terms of environmental protection and operational control.
I don't say it cannot be done, but think it is beneficial for the EMS to include the purchasing process in the scope.
For more information, see: How to determine the scope of the EMS according to ISO 14001:2 015 https://advisera.com/14001academy/blog/2016/02/01/how-to-determine-the-scope-of-the-ems-according-to-iso-140012015/
These materials will also help you regarding the EMS scope:
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/