Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Succession plan


    Answer: You can consider a succession plan as a business continuity strategy to act in a preventive manner to minimize disruptions and impacts regarding the loss of a key person in your organization (e.g., CEO, lead researcher, etc.). A properly developed succession plan can ensure the continuity of authority, decision-making, and communication regarding the function performed by the unavailable person.

    Unfortunately we do not have a specific template for a succession plan/strategy, but you can consider this process as part of a career planning, with activities related to the analyzing of jobs and people to ensure that there is a pool of experienced and capable personnel who can step into positions as they become available, either because of planned availability, as people get promoted or retire, or because of unplanned vacancies. Considering this, I suggest you to take a look at the free demo of our:
    - Training an d Awareness Plan: https://advisera.com/27001academy/documentation/training-and-awareness-plan/
    - Business Continuity Strategy https://advisera.com/27001academy/documentation/business-continuity-strategy/

    to check if it can fulfil your needs. You just have to scroll down the screen a little to find the free demo tab.

    This article will provide you further explanation about business continuity strategy:
    - Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/

    These materials will also help you regarding Succession plan:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Developing the business continuity strategy according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/developing-the-business-continuity-strategy-according-to-iso-22301-free-webinar-on-demand/

  • Exclusions in ISO 9001:2015


    I am currently sited in Singapore which acts as the production HQ for five shoes factories based in Asia and Europe. I am trying to redraft the quality manual(currently based on 2008 ver) to conform to ISO:9001:2015. I hope to know if below requirements are justified to be excluded from the quality manual.

    For 8.2 & 8.3, the justifications for exclusion are due to these processes are owned by R&D function sitting in Denmark thus my site has no control over it. For 8.5.3, we don't own any customer and external provider's properties in the factories today.

    8.2 Requirements for products and service
    8.3 Design and development
    8.5.3 Property belonging to customer or external providers

    Are these exclusions acceptable? Appreciate your insights.

    Answer:

    It is hard to conclude from your question whether the R&D function is part of your QMS scope or not. If yes, then it is impossible to exclude clause 8.3. If not, you need to define your relationship with the R&D section, they can be considered as your external pr ovider, so you only need to define controls of external provider and can exclude the clause 8.3.

    When it comes to clause 8.2, it is not clear how this is related to R&D since these requirements are related mainly to sales process and this can hardly be excluded in your case. The clause includes identification of product requirements and review of product requirements so it is rather hard to exclude it. Justification for the exclusion can be that you only work for one customer and even in that case it is stretched. I would suggest you to keep this requirements within your QMS although I cannot say with 100% certainty since I do not have all information.

    As far as clause 8.5.3 is concerned, your justification is OK, and you can exclude these requirements from your QMS.

    To read more about exclusions in ISO 9001:2015, see: What clauses can be excluded in ISO 9001:2015? https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/

  • Quality Manual in ISO 9001:2015


    Answer:

    New version of the standard doesn't require the manual, so you can write it any way you want. If it is requirement of the supplier, you can ask them what elements should the manual contain.

    For example, in most cases the manual follows the structure of the standard and one of my clients had a supplier audit where they found as "nonconformity" that the manual only covers clauses but not sub-clauses of the standard, but this is minor issue and I'm sure even in such cases it wouldn't be a problem.

    Here is one article that can be interesting to you: The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/

  • Internal audit according to the standard and EMS documentation


    Also, would it be more effective to respond to each point individually, or write a statement that covers all of the points?

    Answer:

    EMS (Environmental Management System) needs to address all requirements of the standard in order to be compliant with ISO 14001. The purpose of the internal audit is to check whether all these requirements are met. Meeting requirements of the standard includes also the rules and procedures that the company prescribed in order to enhance effectiveness of the EMS, so you need to check not only the documents defined by the standard but also the additional documents and record s your company included in the EMS.

    When it comes to auditing, it is better to audit requirement by requirement f the standard and see if the documents and activities meet those requirements. Maybe the manual is not fully compliant with the standard and if you audit only according to the manual, you might miss so check some requirements. It is crucial to check all requirements, but you do not have to write statements for each requirement.

    Useful tool for checking the requirements can be internal audit checklist, and here you can find more information about it: How to make an ISO 14001 internal audit checklist https://advisera.com/14001academy/blog/2016/06/27/how-to-make-an-iso-14001-internal-audit-checklist/

  • Change evaluation


    Answer:
    Not all changes require evaluation. So, you need to decide which ones you'll evaluate. These are usually changes you consider important (because of their impact on the company, risks they have, costs...etc.) Therefore, once you create Change Policy (good place to define what and how you'll evaluate) - it will be clear which changes need to be evaluated.
    Evaluation is made, usually, prior to the implementation as well as afterwards.
    This articles can help you further:
    "ITIL – Change Evaluation Process" https://advisera.com/20000academy/blog/2015/02/24/itil-change-evaluation-process/
    "Three key elements of assessment and evaluation of changes according to ITIL" https://advisera.com/20000academy/blog/2015/06/30/three-key-elements-of-assessment-and-evaluation-of-changes-according-to-itil/

  • Can absence of work instruction be nonconformity


    Answer:

    The absence of work instruction on place of application can be a nonconformity under following clauses:
    - 7.5.3.1 a) "Documented information required by the quality management system and by this international standard shall be controlled to ensure it is available and suitable for use, where and when it is needed."
    - 8.5.1 a) "Controlled conditions [for production] shall include, as applicable the availability of documented information that defines[...] activities to be performed".

    Furthermore, keep in mind that your QMS should be aligned not only with requirements of the standard but also with the documents that you defined as necessary for effectiveness of the QMS which means the documents the company defined within its QMS. So you don't have to be in collision with the standard to have a nonconformity, a nonconformity can be issued if you do not follow your own procedures and work instructions.

    For more information, see: How to deal with nonconformities in an ISO 9001 certification audit https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/

  • Implementing OHSAS 18001 or waiting for ISO 45001


    Answer:

    At this point in time, I think it would be much better to wait for ISO 45001 and avoid implementing OHSAS 18001 simply because ISO 45001 will be published in couple of months and from that moment the transition period will start for organizations that have OHSAS 18001 to pass on ISO 45001.

    If you start your OHSAS 18001 implementation now, you will probably finish it after the ISO 45001 is published and after certification you will have to start thinking about the transition. Waiting for couple of months will save you a lot effort and expense, unless you are forced by your customers to certify OHSAS 18001 as soon as possible.

  • Rescheduling the audit

    There is no some time-frame defined by the standard, but it is better to make it as soon as possible. It is important to cover entire scope of the QMS and all requirements of the standard with internal audit over the period of one year. This also isn't a requirement of the standard but it is a common practice.

  • Risk treatment and risk treatment plan


    Risk Management Methodology
    Risk Assessment
    Risk Treatment
    SoA
    Risk Treatment Plan.

    Could you please elaborate what is the difference between risk treatment and risk treatment plan.

    Answer: Risk treatment refers to the options you have available to treat a risk, being the most common risk acceptance, risk mitigation, risk avoiding and risk transfer. When we talk about risk treatment plan we are talking about the specific activities, responsible, deadlines and resources needed to implement the chosen risk treatment.

    For example, regarding a risk database compromise by a malware, you can define as risk treatment mitigate risk, and for risk treatment plan you can define:
    - Joe has to install antivirus on database servers by the end of June/2017
    - John has to implement a backup routine for databases by the end of July/2017.

    This article will provide you further explanation about risk treatment and risk treatment plan:
    - 4 miti gation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
    - Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

    These materials will also help you regarding risk treatment and risk treatment plan:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Controls for malicious attack


    For malicious attack which control is necessary? As per the video it says physical and environmental security however I think it should be operation control.

    Answer: In fact both types of controls may be necessary. Physical and environmental security prevents an attacker from having direct physical access to an asset (e.g. access to a paper document, a server, a switch, etc.), while by using operation controls you can handle risks related to abuses while operating equipment and facilities, as well as attacks that can be performed remotely (e.g., invasion through software exploitation). The application of different types of controls to protect an asset is what we call defense in depth.

    These articles will provide you further explanation about how to use different controls to apply the same security concept:
    - Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-ar eas/
    - Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/

    This material will also help you regarding defense in depth:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Page 898-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +