Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Top management role in QMS
Answer:
The top management pays a key role in QMS (Quality Management System), when it comes to planning and maintaining the system. Entire clause 5 is dedicated to the obligations of the top management, such as providing resources, assigning responsibilities, taking accountability for the QMS effectiveness, etc.
Other clauses as well require involvement of the top management, such as for determining context of the organization, addressing risks and opportunities and, finally, management review. Check phase of the PDCA cycle that is prescribed by the standard includes management review where the effectiveness of the QMS is to be considered and actions for QMS improvement to be proposed. This is impossible to perform without the top management as they are the ones to determine what actions will be taken and to provide resources for these actions and t he entire QMS.
For more information, see: To what extent should top management be involved in your QMS? https://advisera.com/9001academy/blog/2016/11/22/to-what-extent-should-top-management-be-involved-in-your-qms/ -
Knowing ISO 27001
Considering also the specification you provided:
>"In their first response to the forum they suggested:
>This article will provide further explanations on the integration of management systems:
> - How to implement integrated management systems / ... / -
>But I can not open this article. On the other hand in the suggestion they gave I did not realize if the idea of the study is to analyze which organizations is it possible to integrate the 27001?
>My specific question was to ask for help in the sense that with your broad vision to see a topic that I could take advantage of to do a study and thus be able to make my thesis, here what I wanted to take advantage of is a theme that helps make you see The added value that is the implementation of this regulation 27001 since here in Portugal are very few organizations that have implemented. This article / study is to serve as ramp for which companies have given in bulk."
First of all. I'm sorry about the problem with the link. Here is the correct link:
- How to implement integrated management systems https://advisera.com/ 7001academy/blog/2015/10/05/how-to-implement-integrated-management-systems/
About your question: the point is not to analyse in which organizations it is possible to integrate the 27001 (the standard is designed to be applicable to organizations of any kind or size), but why, so you can evidence the added value ISO 27001 implementation can bring to an organization (what I think is your main interest in your thesis).
Why would an organization implement an standard if it is not mandatory? The general benefits are:
- Obtain a competitive edge
- Improve internal organization
- Reduce losses due to incidents
- Assure compliance with legal requirements
Considering each of these benefits, you could develop a thesis identifying specific points related to a specific organization or industry.
For more information about ISO 27001 benefits, please see: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/ -
Auditoria de Certificación
El manual de funciones estipula las cualificaciones y perfiles de los cargos. Cualquier persona en la organización que esté relacionada con la realización de un producto debe de poseer un perfil del cargo, éste incluye la lista de las responsabilidades y autoridades para cada uno de los cargos. Por lo tanto, la descripción documentada de un puesto o perfil de cargo, debería de contener: título, subordinación, cualificaciones externas requeridas, cualificaciones internas requeridas, lista de responsabilidades y lista de autoridades. Sin embargo, es importante tener en cuenta que la norma ISO 9001:2015 no exige documentación sobre el perfil de los cargos -
Communication template in ISO 22301 Toolkit
Answer: Communication is a activity that is performed by many processes in business continuity, with different purposes, so we do not have a centralized communication plan to not overhead people responsible for communication with activities that may not be part of their attributions.
Instead of that, you will find communication plan elements spread in many documents in the toolkit:
- Appendix 1 – Incident Response Plan
- Appendix 2 – Incident Log
- Appendix 5 – Key Contacts
In the root folder of the toolkit you bought you can find the List of Documents file that will show you which clause of the standard is covered by each document of the toolkit. -
ISO 27001 and Artificial Intelligence
1Does ISO 27001 addresses AI from a human factor in the Annexis and which one?
Answer: ISO 27001 does not treat requirements and controls in terms of technologies that can be used, but in terms of security objectives to be achieved. So there is no control that explicitly address AI, but this does not prevent AI to be used in any one of them if you can show that the use of AI can fulfil the stated objective (e.g. if you can show that AI can successfully review logs of human activity in search for anomalies, you can address controls A.12.4.1 (Event logging) and A.12.4.3 (Administrator and operator logs)).
2Shall we add AI as a add on to the ISO27001 ISMS compliance?
Answer: Using AI is not mandatory for ISO 27001, but you can make such kind of statement if you can demonstrate how AI can fulfil specific requirements or controls of the standard.
This article will provide you further explanation about s pecific solutions in ISO 27001:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding controls in ISO 27001:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
EA 35 code
EA 33 stands for European Accreditation 33, which is used to assign the scope of an organization’s business in the information technology area. This code is used to help assign a registrar auditor with appropriate experience to a company. For ISO 27k certificate EA 33 you can understand an ISO 27k certified organization which main business is related to information technology.
-
Implementation steps
(What is the first thing that must be done within an organization to implement ISO 27001: 2013.)
Answer: The first and most critical step is to get management support for the implementation. Implementing information security will need resources in terms of people, material and capital, and most of all, it involves cultural change, and for that you will need top management support and involvement.
These articles will provide you further explanation about implementation steps:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
These materials will also help you regarding implementation steps :
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Writing a Quality Manual
Answer:
New version of ISO 9001:2015 doesn't require Quality Manual, so the organizations that decide to keep it as a part of their QMS (Quality Management System Documentation) are free to develop it in any way they find the most suitable for their needs.
You can apply the conventional style which is to follow the structure of the standard and explain how the requirements are meet or reference to other documents and procedures that explain this in more details. Also, you can include organizational structure and short description of the organization, together with process map.
Another way is to be more creative and make a process based manual which is much shorter and provides only essential information about the processes and the QMS. For more information, see: Writing a short Quality Manual https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/ -
Addressing the product life-cycle
Answer:
The standard does not require organizations to address product life-cycle but rather to examine it and determine significant environmental aspects and establish operational controls for them. The controls should be appropriate to the life-cycle stage, for example, once your product reaches the end user, you cannot control how the end user will recycle it, but you can give some instructions on what is the best way to do it.
For more information, see: Lifecycle perspective in ISO 14001:2015 – What does it mean? https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/ -
Updating the manual to meet IATF 16949 requirements
Answer:
I assume you've meant Quality Manual, because the standard doesn't mention Apex manual and I'm not sure what Apex manual is. As far as the Quality Manual is concerned, IATF 16949, just like ISO TS 16949 requires quality manual and extends requirements regarding this document.
The previous version of the standard only had requirements from ISO 9001:2008, IATF 16949 kept this requirement and added basically two requirements to the ones existing in the previous version of the standard:
1. to include extent and type of controls for outsourced processes in description of sequence and interaction of processes; and
2. document indicating where in the QMS the customer specific requirements have been met.
For more information, see: How to write the IATF 16949 Quality Manual https://advisera.com/16949academy/blog/2017/05/31/how-to-write-the-iatf-16949-quality-manual/