Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Assigning roles and responsibilities in EMS
Top management must assign responsibilities and relevant roles for the EMS development, reporting, and maintenance so that it meets the intended goals.
Do you have a guidance toolkit please?
Answer:
We do not have separate toolkit for assigning roles and responsibilities withing EMS (Environmental Management System) and you do not need one. You simply need to define through your procedures and working instructions who is responsible for what, or you can have separate document where you will define all roles and responsibilities within the EMS.
For more information, see: What are the key roles and responsibilities in the EMS?
https://advisera.com/14001academy/blog/2016/11/21/what-are-the-key-roles-and-responsibilities-in-the-ems/ -
Example of Quality Policy and SPC
Answer:
Requirements for quality policy in IATF 16949 are same as in ISO 9001:2015. The policy must be appropriate to the purpose and context of the organization and to support its strategic direction, to provide framework for setting the quality objectives, includes commitment to satisfy applicable legal requirements and include commitment to improve quality management system.
At the moment, we do not have available Quality Policy for IATF 16949, but as I mentioned before, requirements are the same as for ISO 9001, so you can download free preview of our ISO 9001 Quality Policy to get an idea on how to develop it https://advisera.com/9001academy/documentation/quality-policy/ In addition, you can take a look at this article: How to Write a Good Quality Policy https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
As far as implementing SPC (Statistical Process Control) online, you will need some software solution -
Support material for online courses
Answer: Yes, it is possible to become certified with only the information provided in the course, but you should consider buying the ISO books as sources of explanations and examples that can make it easier to understand the standard, and it is always good to have this kind of information at hand for a quick consultation.
You can find our available books at this link: https://advisera.com/books/ -
Disposal of asbestos sheets
Answer:
Asbestos cement sheeting is commonly found as grey corrugated or flat sheets. It is thin and brittle and produces a clean edge when broken. It contains a small amount of asbestos encapsulated within cement, which, in good condition, does not normally present a risk to health. Please remember that any work on asbestos sheet may generate airborne asbestos fibers.
Asbestos should be disposed at organization authorized for handling asbestos, such as waste recycling centers. Before bringing asbestos to the waste recycling centre, take these actions to to ensure your asbestos will be accepted:
- all pieces of asbestos should be double wrapped in heavy duty plastic, this does not include plastic such as bin liners or carrier bags
- the double wrapped plastic does not need to be clear, but you should ensure that nothing is protruding from inside the plastic as this will not be accepted
- you should soak large pieces before breaking it down to bring on to site - this stops fibers escaping
For more information on handling and disposal of asbestos, see: Guideline for Construction/Asbestos Waste Management https://advisera.com/14001academy/documentation/guideline-for-constructionasbestos-waste-management/ -
Alternative controls and control plan
how can I handle the alternate process control method? within the "normal" control plan? or make another control plan?
If I use the normal control plan, have a mark an any way the alternate controls?
Answer:
The organization needs to identify, document and maintain the alternate methods for process control and get approval from the customer for these controls. The list of alternate process control methods should be referenced in a control plan, so you do not have to create another control plan, just include in existing one references to the alternate controls.
Since alternate controls are used incidentally and not on the regular basis (the standard requires organization to return to the standard process as soon as possible), the alternate controls should be distinguished in some way from the regular controls in the control plan. -
Documenting Design History File
If all our records are electronic (e.g. JIRA, confluence, office365) do we need to maintain a design history file (DHF)? Or can we just provide all the documents or an index of those documents?
Answer:
Design and Development File and Design History File are basically the same documents. The ISO 13485 standard requires organization to maintain this file for each medical device type or device family. It must include either records or references to them to demonstrate conformity to the requirements for design and development and records for design and development changes.
You don't have to have separate record for it, you can create database or index to all of those documents. -
Scope and asset definition
1. May we/should we exclude third-party cloud providers (document management, e-mail, and time and billing)? [Note: Most have their own ISO 27001 certifications—may we or should we reference these in our documentation, or would that only confuse things?]
Answer: By the scenario you described, you do not need to include the third-party cloud providers in your scope. The main point to consider here is how much direct control your firm has over the applications and databases hosted on the outsourced IT services. If you can manage the applications (e.g., create and manage user accounts, change configurations, etc.), you should include the applications in your scope. If all t his management work is performed by the provider you have to include only the databases in your ISMS scope (e.g., email database, documentation database, time and billing database).
2. Should we include our IT service provider? If so, how deeply must we delve into their systems? [They provide similar services to many companies, and have visibility into our system for maintenance and troubleshooting.]
Answer: As explained in the first answer, you do not have to include your IT service provider in the scope.
This article will provide you further explanation about Scope definition:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
3 - A related question pertains to the distinction between a company and its software. For example, Microsoft as a company may be subject to threats such as breach of contractual relations or equipment failure. At the same time, its software (in this case Office 365) may have its own threats and vulnerabilities, such as application errors, inadequate patching, etc. Should these be combined in the risk assessment table as a single reference to Microsoft with all related threats and vulnerabilities, or should it be broken out as third-party provider and software? (Assuming, of course, that they are included at all consistent with our questions above.)
Answer: Considering your example, if your relationship with Microsoft is limited to the use of Office 365, then the "Office 365" is the asset to be assessed, and all identified risks should be associated to it. However, if besides Office 365 you also use other Microsoft products or services (e.g., onedrive, skype, windows, etc.) then an additional asset, called for example as "Software Provider - Microsoft", also should be considered for assessment, because now you also have to consider risks in terms of all Microsoft products and services you use, not only the risk for specific ones, and this can be better handled if they are concentrated in a single asset. -
Security in web applications
Thank you for you replay ,
is 27001 combined with 27002 a good idea to secure a web application also? , because i mean there is some points in 27001 that we dont need probably or if i want to write a security policy for a web application , because i didn't get a lot of information about 15408 and how it works
What do u think about PCI ? im just trying to get the best norm and explain why thanks for u help -
8.5.1.2 Standardized Work
8.5.1.2 Standardized Work – operator instructions and visual standards
The organization shall ensure that standardized work instructions are:
a) Communicated to and understood by the employees who are responsible for performing the work:
b) Legible:
c) Presented in the language(s) understood by the personnel who are responsible to follow them:
d) Accessible for use at the designated work area(s).
Thank you
Answer:
In case when you have different nationalities, you can either choose to define official language of the company so all official documents are required to be written on this language but this wont resolve your problem with people who don't speak the language.
For people who do not speak the official language of the company, you can either translate the documents that they need to use and make the doc uments bilingual or try to make those document more pictorial and avoid writing text but present them with pictures. In any case you do not have to translate all QMS documents but only those that are used by employees who don't speak the official language. -
Making IATF 16949 transition using documentation templates
Answer:
The templates can e very useful and save you a lot of time and effort in the transition project. They are usually well formatted and cover all requirements of the standard regarding the documentation. Basically, you will save yourself from spending too much time on details and technicalities related to the standard and focus on the essence and process control.
When thinking of purchasing the templates it is important to make sure it contains all mandatory documents an d maybe some non-mandatory documents that can be useful. And also to see what kind of support is included in the price, do they offer online meetings, answering your questions by email, document review, etc.