Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Internal audit according to the standard and EMS documentation


    Also, would it be more effective to respond to each point individually, or write a statement that covers all of the points?

    Answer:

    EMS (Environmental Management System) needs to address all requirements of the standard in order to be compliant with ISO 14001. The purpose of the internal audit is to check whether all these requirements are met. Meeting requirements of the standard includes also the rules and procedures that the company prescribed in order to enhance effectiveness of the EMS, so you need to check not only the documents defined by the standard but also the additional documents and record s your company included in the EMS.

    When it comes to auditing, it is better to audit requirement by requirement f the standard and see if the documents and activities meet those requirements. Maybe the manual is not fully compliant with the standard and if you audit only according to the manual, you might miss so check some requirements. It is crucial to check all requirements, but you do not have to write statements for each requirement.

    Useful tool for checking the requirements can be internal audit checklist, and here you can find more information about it: How to make an ISO 14001 internal audit checklist https://advisera.com/14001academy/blog/2016/06/27/how-to-make-an-iso-14001-internal-audit-checklist/

  • Change evaluation


    Answer:
    Not all changes require evaluation. So, you need to decide which ones you'll evaluate. These are usually changes you consider important (because of their impact on the company, risks they have, costs...etc.) Therefore, once you create Change Policy (good place to define what and how you'll evaluate) - it will be clear which changes need to be evaluated.
    Evaluation is made, usually, prior to the implementation as well as afterwards.
    This articles can help you further:
    "ITIL – Change Evaluation Process" https://advisera.com/20000academy/blog/2015/02/24/itil-change-evaluation-process/
    "Three key elements of assessment and evaluation of changes according to ITIL" https://advisera.com/20000academy/blog/2015/06/30/three-key-elements-of-assessment-and-evaluation-of-changes-according-to-itil/

  • Can absence of work instruction be nonconformity


    Answer:

    The absence of work instruction on place of application can be a nonconformity under following clauses:
    - 7.5.3.1 a) "Documented information required by the quality management system and by this international standard shall be controlled to ensure it is available and suitable for use, where and when it is needed."
    - 8.5.1 a) "Controlled conditions [for production] shall include, as applicable the availability of documented information that defines[...] activities to be performed".

    Furthermore, keep in mind that your QMS should be aligned not only with requirements of the standard but also with the documents that you defined as necessary for effectiveness of the QMS which means the documents the company defined within its QMS. So you don't have to be in collision with the standard to have a nonconformity, a nonconformity can be issued if you do not follow your own procedures and work instructions.

    For more information, see: How to deal with nonconformities in an ISO 9001 certification audit https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/

  • Implementing OHSAS 18001 or waiting for ISO 45001


    Answer:

    At this point in time, I think it would be much better to wait for ISO 45001 and avoid implementing OHSAS 18001 simply because ISO 45001 will be published in couple of months and from that moment the transition period will start for organizations that have OHSAS 18001 to pass on ISO 45001.

    If you start your OHSAS 18001 implementation now, you will probably finish it after the ISO 45001 is published and after certification you will have to start thinking about the transition. Waiting for couple of months will save you a lot effort and expense, unless you are forced by your customers to certify OHSAS 18001 as soon as possible.

  • Rescheduling the audit

    There is no some time-frame defined by the standard, but it is better to make it as soon as possible. It is important to cover entire scope of the QMS and all requirements of the standard with internal audit over the period of one year. This also isn't a requirement of the standard but it is a common practice.

  • Risk treatment and risk treatment plan


    Risk Management Methodology
    Risk Assessment
    Risk Treatment
    SoA
    Risk Treatment Plan.

    Could you please elaborate what is the difference between risk treatment and risk treatment plan.

    Answer: Risk treatment refers to the options you have available to treat a risk, being the most common risk acceptance, risk mitigation, risk avoiding and risk transfer. When we talk about risk treatment plan we are talking about the specific activities, responsible, deadlines and resources needed to implement the chosen risk treatment.

    For example, regarding a risk database compromise by a malware, you can define as risk treatment mitigate risk, and for risk treatment plan you can define:
    - Joe has to install antivirus on database servers by the end of June/2017
    - John has to implement a backup routine for databases by the end of July/2017.

    This article will provide you further explanation about risk treatment and risk treatment plan:
    - 4 miti gation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
    - Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

    These materials will also help you regarding risk treatment and risk treatment plan:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Controls for malicious attack


    For malicious attack which control is necessary? As per the video it says physical and environmental security however I think it should be operation control.

    Answer: In fact both types of controls may be necessary. Physical and environmental security prevents an attacker from having direct physical access to an asset (e.g. access to a paper document, a server, a switch, etc.), while by using operation controls you can handle risks related to abuses while operating equipment and facilities, as well as attacks that can be performed remotely (e.g., invasion through software exploitation). The application of different types of controls to protect an asset is what we call defense in depth.

    These articles will provide you further explanation about how to use different controls to apply the same security concept:
    - Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-ar eas/
    - Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/

    This material will also help you regarding defense in depth:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • OH&S training for employees


    Answer:

    It is hard to give you an estimate for training of 864 people especially without any information on what kind of training they need. I assume not all of them need to attend some external training and most of the training can be done with internal resources, for example, occupational safety officer or engineer can provide training on personal protective equipment.

    Since the lot of people are involved and potentially lot of money, you need to define first who needs what kind of training and then to find the best cost-effective method to provide the training to your employees. When it comes to OHSAS 18001 requirements, the standard itself doesn't require any training to be conducted for requirements of the standard, you may need couple of person to attend internal auditor training for OHSAS 18001 and for the rest, you need to identify what kind of training is needed, but in most cases it will be related to operating machines and personal protective equipment.

    For more information, see: Do you have to train your whole workforce on the OHSAS 18001 standard? https://advisera.com/18001academy/blog/2016/05/26/do-you-have-to-train-your-whole-workforce-on-the-ohsas-18001-standard/

  • Mandatory documents and risks and opportunities in processes


    Answer:

    To learn about mandatory documents and records required by IATF 16949, see: List of mandatory documents required by IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/list-of-mandatory-documents-required-by-iatf-16949-2016/

    When it comes to identification of risks and opportunities within the processes, you need to ask yourself what can go wrong in the processes, what can cause a defect and what can be done to improve process performance. The risks and opportunities identified this way should be evaluated according to methodology the company has adopted and actions need to be taken to address the risks and opportunities.

  • Sistemas Integrados de Gestión


    Estaría bien si trato a salud ocupacional y a ambiental como procesos del sistema de gestión de calidad...?"

    Mi respuesta:

    Si quisieras implementar un sistema de gestión integrado (SIG) necesitarás definir una política integrada. La política comprende los objetivos generales, intenciones y rumbo que la dirección de la organización ha identificado. Como la nueva versión de las normas comparten la misma estructura, existe una mayor facilidad para la integración de los sistemas, siendo a su vez más coherentes.

    No puedes tratar la salud ocupacional o el medio ambiente como procesos dentro de ISO 9001, ya que un proceso es una serie de actividades interrelacionadas o que interactuan entre sí que emplean entradas para generar un resultado esperado. Los procesos utilizan recursos para transformar las entradas en el sistema en resultados (salidas). Están interconectadas, ya que el resultado de un proceso a menudo se convierte en la entrada para otro proceso. Por ejemplo, un proceso podría ser: proceso de montaje, proceso de ventas, proceso de fabricación, etc.

    Para más información, puedes ver "Cómo integrar ISO 14001 e ISO 9001": https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/#
    --
Page 898-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +