Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk-based thinking in IATF 16949


    Answer:

    When it comes to risk-based thinking or addressing risks and opportunities, IATF 16949 has addition to requirements of ISO 9001. IATF 16949 requires risk analysis to include, at minimum, product recalls, product audits, returns and repairs, complaints, scraps and rework. The evidence of the risks-based thinking would be FMEA (Failure Mode Effect Analysis) conducted for processes with appropriate actions taken to address the risks. As far as the staff operating the processes is concerned, the best approach is to focus primarily on the risks emerging from their processes and what has to be done to avoid the risks. For example, how to perform the activities and avoid the nonconformities.

  • Conducting "desktop audit"


    Answer:

    I assume you are thinking about ISO 9001 audit, but it is pretty much the similar approach for any standard. Desktop audit is usually a review of quality documents of an organisation to ensure compliance to higher level documents and to familiarize auditor with the auditee's quality management system.This is done generally prior to an audit.

    The purpose of this audit is to determine whether the documentation is compliant with requirements of the standard. So, the best way to approach it is to determine first what clauses and what requirements of the standard are relevant to particular documents and then to audit the documents against these requirements. If you are new to auditing, it can be helpful to develop the checklist first and then to conduct the audit by following the checklist.

    For mor e information, see: ISO 9001 Audit Checklist https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/

  • Audit criteria and evidence-based approach


    Answer:

    Audit criteria represents set of requirements against which you will perform the audit. In case of internal audit or certification audit, the criteria is the standard and relevant management system documentation, for example is the production process conducted according to production procedure. Other criteria can be requirements of the customers, legal requirements, etc. For more information, see: What is the ISO 9001 audit program, and how does it work? https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/

    Evidence-based approach means that you are basing your decision or judgement on evidence you've collected. For example, if you want to determine whether the organization has conducted training according to the training program it developed, you will look for the training records.

  • ISMS audit


    Answer: An ISO 27001:2005 certified lead auditor can perform internal audit if he/she can prove competence in 2013 revision of the standard. If not, then this person needs to take a training to obtain this competence.

    This articles will provide you further explanation about new version of ISO 27001 and internal audit:
    - Infographic: New ISO 27001 2013 revision – What has changed? https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

    These materials will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • Lead Auditor Training for ISO27K

    There are many organizations who say they provide certification with training in a cost less than 5000 INR and some are providing it for the cost of more than 50000 INR too.
    Which is to be considered is a big question and I want this to be done from a recognized/accredited institution only.

    Can you please suggest?

    Answer: We do not have deep knowledge of India market to point to give you the best solution, but you can make contact with these training providers:
    - SGS https://www.sgsgroup.in/en-GB/Office-Directory.aspx
    - BSI https://www.bsigroup.com/en-IN/Contact-us/
    - Bureau Veritas https://www.bureauveritas.co.in/home/worldwide-locations/coin-locations

    This article will provide you further explanation about Lead Auditor course:
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

  • Cost of downtime


    Answer:
    Downtime consists of two types of costs:
    1. Direct, like:
    - Lost profit
    - cost generated by resolving the issues which caused downtime (hours of your employees)
    - SLA penalties (or even lost SLA)
    - cost of en-user (un)productivity
    . costs towards third parties
    - etc.
    2. Indirect, like:
    - reputation damage
    - cost of lost opportunity
    - regulatory/compliance breach costs
    - etc.

    So, as you can see, while calculation costs of downtime some costs are easily identifiable, and some are just good estimation. Financial people or business will be of great help, so use the chance and include their inputs in calculation.

  • New 9001 and 13485 standard

    Hi Juanito,

    ISO 13485:2016 still requires management representative, so in order to be compliant with the standard you need to assign this role to someone in your organization.

  • Risk register and environmental aspects

    1.can we make a single risk register for a company as a whole or should we have to make functional/ departmental wise or the option left to the Organ.?

    The standard does not define how organization will compile its risks register, so you can do it in any way that you find the most suitable. For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

    Regarding EMS 2015 standard
    1.Should we have to make risk register for EMS also as per cl.6.1

    Yes, you should make risk register for risks and opportunities related to the EMS and you can do it in the same way as for ISO 9001. For more information, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/

    2.For Aspect Impact study is their any template / format to use?

    Yes, we do have templates for identification and evaluation of environmental aspects and impacts. Here you can download free preview of our Procedure for Identification and Evaluation of Environmental Aspects and Risks https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/

  • Lead Auditor certification and CISA


    Answer: The pros and cons interpretation will depend on the context of the audit scenario considered. CISA is more focused on audit of information systems and IT processes, while ISO 27001 Lead Auditor covers information protection regardless where it is found (digital format, paper media, people, etc.).

    That said, if an audit focuses on information security management, ISO 27001 LA would provide a better basis for audit. On the other hand, if the audit will cover aspects like IT governance activities and technical process, CISA is more adequate. It also can help you perform audits considering the strategic relationships of the information systems and business objectives.

    This article will provide you further explanation about certifications of lead auditor and CISA:
    - CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/

  • SoA and outsourced IT


    Answer: You should include the controls in the SoA. Even if they are implemented by your IT service provider, including them in the SoA is a good idea because this way your organization will have a clear overview about who will implement which control, making easier the job to keep track of all controls, who is responsible and what is their status.

    The proper way to do that is to state the control as applicable and indicate which third party will implement the control and what will be the legal basis for it (e.g., implemented by third-party according service agreement).

    You should also note that by doing this way you have to ensure to state the control A.15.1.2 (Addressing security within supplier agreements) as applicable and retain as evidence the service agreement with the security clauses your provider must comply with. These security clauses basically refer to the controls your organization states as applicable in your SoA and that you want the provider to apply.

    These articles will provide you further explanation about controls in outsourced IT:
    - Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
    - Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

    These materials will also help you regarding controls in outsourced IT:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 886-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +