Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
0.3 ENFOQUE A PROCESOS
El enfoque basado en procesos, el enfoque basado en riesgos y el ciclo PDCA son tres conceptos que juntos forman una parte fundamental de la norma ISO 9001:2015
La ISO 9001 fomenta la adopción del enfoque basado en procesos a la hora de desarrollar, implementar y mejorar la efectividad del SGC.
La gestión de los procesos y del sistema en su conjunto puede ser llevado a cabo mediante el ciclo PDCA (0.3.2) con un enfoque general basado en riesgos (0.3.3).
Las cláusulas 0 a 3 no contienen requerimientos para el SGC por lo que normalmente no son incluidas en el manual. -
Communication process for OHSAS 18001
Answer:
The means of communication between the top management and other members of the staff will depend on the type of the organization and level of education of the rest of the staff.
The best ways are the ones that leaves the written trail but it doesn't have to be email or memos, you can create a message board where you will put the notifications to the employees. In case of the significant announcement and big changes, it is better to arrange training for employees where you can explain to them what the company requires from them.
For more information, see: How to comply with OHSAS 18001 communication requirements https://advisera.com/18001academy/blog/2015/10/28/how-to-comply-with-ohsas-18001-communication-requirements/ -
Corrective action for IT department
Answer:
Since the cause was lack of awareness, the corrective action should be to raise awareness and maybe to perform additional training to the IT staff so they get familiar with requirements of the standard and what is expected from them. As a follow up, you can later audit the IT department to check whether it is compliant with the standard and the procedures the organization defined.
For more information, see: How to proceed once a QMS corrective action is defined? https://advisera.com/9001academy/blog/2016/09/20/how-to-proceed-once-qms-corrective-action-is-defined/ -
Health and Safety certification
Implementing OHSAS 18001 is sufficient for getting the certificate based on this standard. I'm not sure what you mean by Health and Safety certification, but in most cases OHSAS 18001 is enough.
2) How best can an employer deal with a worker who does not abide by the safety guidelines stipulated by the company in regards to the implementation of Occupational Health and Safety Management Systems?
In cases when the employee is not following the company procedures and guidelines all you can do is to warn, punish and ultimately expel the employee from the work site.
3) Kindly list down the safety requirements, procedures and policies that a company must have in compliance with OSHAS 18001 and the possible optional ones.
Here you can find mandatory documents according to OHSAS 18001: List of mandatory documents required by OHSAS 18001 https://advisera.com/18001academy/blog/2016/11/23/list-of-mandatory-documents-required-by-ohsas-18001/ -
The context and leadership requirements
May I be highlighted by you whether clause 4 can be written in details in my Quality Manual without a separate procedure ?
Is clause 5.1.1 a new requirement? I observe that all the clause 5 and sub_clauses on leadership are basically the same except risks and opportunities that must be identified and addressed so as not to affect customer satisfaction or risks of customer dissatisfaction.
Answer:
First, requirements for context of the organization do not include documenting the context or writing the procedure. If you decide to document it, you can include it in your Quality Manual or make separate procedure, since it is not requirement of the standard, you are free to do it in any way that you find the most suitable. For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
As far as clause 5.1.1 is concerned, there are no new requirements compared to the previous version o the standard. For more information, see: How to comply with new leadership requirements in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-comply-with-new-leadership-requirements-in-iso-90012015/ -
SOP vs Quality Plan
Answer:
The main difference is in the scope, work instruction usually describes one operation or activity while Quality Plan is written for entire process. Work instructions are usually written in form of text or flow chart while Quality Plan is in for of spreadsheet but the purpose of both documents is to ensure that the process or activity is carried out as planned.
For more information, see: Making the best out of ISO 9001 Quality Plan https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/ -
BCM training material
Answer: Yes. At this link: https://advisera.com/27001academy/webinars/
You can find free webinars about business continuity management like:
- Implementing Business Impact Analysis according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar/
- Writing a business continuity plan according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
- Developing the business continuity strategy according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/developing-the-business-continuity-strategy-according-to-iso-22301-free-webinar/ -
Vulnerabilities understanding
Answer: No. Vulnerabilities are weaknesses that also may be result of improper implementation of an otherwise well designed project (e.g., a safe made of a defective alloy) or a control misconfiguration (e.g., a password policy that enforces alphanumeric characters but limits the size to a small value).
This article will provide you further explanation about vulnerabilities:
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/
These materials will also help you regarding vulnerabilities:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Asset owner
Currently we are writing the Risk Assessment Table and we have found some doubts about the definition of "Asset Owner". Considering the risk "mail exchanged with customers and partners (docs in paper)", the asset owner is:
- who is exchanging the mail so that the responsible to guarantee the security of the mail exchanging or
- who is the responsible to guarantee (or not, in case of leak of information, for example) the security of information exchange (ie. some governance or compliance department)
I apologize if I was not clear in the explanation. If you have any question, please let me know.
Answer: The asset owner in this case is the person who is exchanging the mail, because he is the one most interested that the information won't be compromised and will seek for the implementation of proper security controls.
The other role in the risk assessment is the "Risk Owner", the one with the accountability to ensure the risk is properly handled (e.g., the responsible for the mail services).
This article will provide you further explanation about asset owner and risk owner:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
These materials will also help you regarding asset owner and risk owner:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Writing ISO 27001 documentation
Answer: You should keep the documentation as small and simple as possible. So, considering 5 departments, the best approach should be that you propose drafts for the evaluation of department heads. You should consider writing general documents that can cover all departments, including specific sections for specific situations regarding the departments. If you see this approach cannot cover the department need s, then you should consider writing specific procedures for the departments who needs them (in our experience the general documents cover most of the situations).
Regarding scope, you can write a single document covering all departments. This way you can have a systemic view of all your ISMS and avoid excessive administrative work. For more information, please see these articles:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Examples of documents that can be written for the whole organization are the statement of applicability and the risk assessment report. Examples of documents that should be writen by each department are records of monitoring and measurement.
These articles will provide you further explanation about writing documents:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
These materials will also help you regarding writing documents:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/