Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Determining EMS scope for financial institution
Answer:
According to the standard, the organization needs to define the scope by listing all activities, products and services that it provides. In addition, it can define which locations are also covered with the scope. Waste disposal and use of resources are operational controls to be established once all activities, processes, products and services are examined. You can write financial services as your scope, you don't ave to go into much details but basically, the scope should show what type of business is the organization doing.
You can have the simple statement t hat the scope of your EMS cover financial services, or something in that style, but you must define it. The statement about your scope is usually something that will be written on your certificate and I assume you wouldn't like it to be something other than what your company does.
For more information, see: How to determine the scope of the EMS according to ISO 14001:2015 https://advisera.com/14001academy/blog/2016/02/01/how-to-determine-the-scope-of-the-ems-according-to-iso-140012015/
These materials will also help you regarding EMS scope:
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ " -
Acceptable Risk Document
Answer: By Acceptable Risk Document I'm assuming you are referring to a document informing the results of a risk assessment. Considering that, in this document you have to include a brief description of the methodology you used to identify and analyse the risks, the criteria used to evaluate them and results of the risks assessment, including the list of acceptable risks, so anyone looking for information about how and why you decided to accept the risks can easily find it.
For an example of such similar content, I suggest you to take a look at the free demo of our Risk Assessment and Treatment Report at this link: https://advisera.com/27001academy/documentation/risk-assessment-and-treatment-report/
This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowl edgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Incident Response Plan and Recovery Plan
Answer: Yes, your understanding is correct.
An incident response plan describes what has to be done immediately after a disaster occurs, to reduce the effects of the incident, while a Recovery Plan describes how to recover the infrastructure, applications, data, and how to decide when the recovery is completed so that normal operations can begin.
These articles will provide you further explanation about contents of a BCP:
- How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
- Activation procedures for busines s continuity plan https://advisera.com/27001academy/blog/2011/09/26/activation-procedures-for-business-continuity-plan/
This material will also help you regarding contents of a BCP:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
ISO 27001 and Data privacy protection regulations
Is there a document that supports us when it comes to the point of ISO 27001 and the above mentioned? Data privacy protection regulations. Is there a checklist that would help us to deal with the new regulations we have from May 2018 on?
The requirement is that we need to show that we can align ISO 27001 A. 18.1.4 and the DSGV. Clause A. 18.1.4 is often considered as not really up to the DSGV and its tight measures of Data privacy protection regulation.
Answer: I approximately 2 months from now we will launch the EU GDPR Toolkit which will contain checklists and all other documentation required to ensure compliance with EU GDPR. At this moment I can suggest you other material that can help you:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- Data Privacy Protection, ISO 27001 and CISPE Code of Conduct https://advisera.co m/27001academy/blog/2016/10/31/data-privacy-protection-iso-27001-and-cispe-code-of-conduct/
- What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help -
ISO 27001 software
Answer: Only some activities related to ISO 27001 can be semi-automated (e.g., control of documents, controls measurement, risk assessment, etc.). Being a management system, ISO 27001 still requires some human intervention to analyse and evaluate information.
At this link you can see our online tool Conformio, which can help you manage ISO 27001 implementation project and documentation after implementation: https://advisera.com/conformio/
This article will provide you further explanation about automated tools:
- When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/
These materials will also help you regarding automated tools:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Planning changes in ISO 9001
Could you explain to me what can cause a change to QMS? and where the change can happen in QMS?Should I need to have documented information for changes(e.g. change management procedure)?
Answer:
Changes in the QMS can be caused by the organization itself wanting to improve its processes, the customer who wants to ensure that provided products or services meet its requirements, or changes in the relevant legislation. The changes can happen in the processes, their sequence and interaction, documentation or any other aspect of the QMS.
The standard does not require any document for this requirement, but it can be beneficial to have some kind of record to demonstrate that the changes are carried out according to the plan and in compliance with the standard.
For more information, see: QMS Change Management in 7 steps https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
These materials will also help you regarding change management in ISO 9001:
- Fre e online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ " -
Risks and opportunities and life-cycle stage
Answer:
The standard does not require risks and opportunities to be determined for life-cycle stages of the product, but significant environmental aspects. Risks and opportunities need to be determined regarding context of the organization and its EMS (Environmental Management System) effectiveness. For more information, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
On the other hand, the standard requires life-cycle of the product to be examined in order to determine significant environmental aspects related to different life-cycle stages. This can be done by examining each stage and determining whether thee are significant environmental aspects that require control. For more information, see: How does product life cycle influence environmental aspects according to ISO 14001:2015? https://advisera.c om/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
These materials will also help you regarding environmental aspects:
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ " -
Rework vs repair
@Strahinja Stojanovic thank you
-
Pursuing career in quality management
How much experience is needed and what is the exact procedure..
And if we want to do ISO documentation of any organization what are the things to be followed.
Answer:
If you want to pursue career in quality management, you need to get competence on ISO 9001 and this is the first step. Although having background in engineering or production processes can be beneficial, it is not mandatory, and there are no requirements for experience other that ones your employer defines. I suggest you take a look at our free ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
When developing documentation for any ISO standard, you need to identify first requiements for mandatory documents and also to determine the organization needs for some additional procedures, records, work instructions etc. Here you can see what documents are required by ISO 9001:2015: List of mandatory documents requir ed by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
These materials will also help you regarding the documentation:
- Book Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Documenting the context and interested parties
Answer:
Determining interested parties and their needs and expectations is part of the process of determining context of the organization. However, determining internal and external issues (i.e. the context) and identifying relevant interested parties and their needs and expectations is different in terms how it is carried out and how it can be recorded. Therefore, I think it is better to have different sections of the manual or separate documents dedicated to these two topics. It doesn't really matter from the perspective of the standard how you choose to document this since there are no requirements to document the context or interested parties, so you can adopt the approach that you find the most suitable for your organization.
Both interested parties and issues can be external and internal, for example internal interested party is the top management, employees, unions, etc, and internal issue are organization chart, internal communication process, organizational culture, etc. Also, you need to determine needs and expectations of the interested parties and there is no analogue requirement for the context.
For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
These materials will also help you regarding the context and interested parties:
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001:2015) https://advisera.com/conformio/ "