Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Can absence of work instruction be nonconformity


    Answer:

    The absence of work instruction on place of application can be a nonconformity under following clauses:
    - 7.5.3.1 a) "Documented information required by the quality management system and by this international standard shall be controlled to ensure it is available and suitable for use, where and when it is needed."
    - 8.5.1 a) "Controlled conditions [for production] shall include, as applicable the availability of documented information that defines[...] activities to be performed".

    Furthermore, keep in mind that your QMS should be aligned not only with requirements of the standard but also with the documents that you defined as necessary for effectiveness of the QMS which means the documents the company defined within its QMS. So you don't have to be in collision with the standard to have a nonconformity, a nonconformity can be issued if you do not follow your own procedures and work instructions.

    For more information, see: How to deal with nonconformities in an ISO 9001 certification audit https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/

  • Implementing OHSAS 18001 or waiting for ISO 45001


    Answer:

    At this point in time, I think it would be much better to wait for ISO 45001 and avoid implementing OHSAS 18001 simply because ISO 45001 will be published in couple of months and from that moment the transition period will start for organizations that have OHSAS 18001 to pass on ISO 45001.

    If you start your OHSAS 18001 implementation now, you will probably finish it after the ISO 45001 is published and after certification you will have to start thinking about the transition. Waiting for couple of months will save you a lot effort and expense, unless you are forced by your customers to certify OHSAS 18001 as soon as possible.

  • Rescheduling the audit

    There is no some time-frame defined by the standard, but it is better to make it as soon as possible. It is important to cover entire scope of the QMS and all requirements of the standard with internal audit over the period of one year. This also isn't a requirement of the standard but it is a common practice.

  • Risk treatment and risk treatment plan


    Risk Management Methodology
    Risk Assessment
    Risk Treatment
    SoA
    Risk Treatment Plan.

    Could you please elaborate what is the difference between risk treatment and risk treatment plan.

    Answer: Risk treatment refers to the options you have available to treat a risk, being the most common risk acceptance, risk mitigation, risk avoiding and risk transfer. When we talk about risk treatment plan we are talking about the specific activities, responsible, deadlines and resources needed to implement the chosen risk treatment.

    For example, regarding a risk database compromise by a malware, you can define as risk treatment mitigate risk, and for risk treatment plan you can define:
    - Joe has to install antivirus on database servers by the end of June/2017
    - John has to implement a backup routine for databases by the end of July/2017.

    This article will provide you further explanation about risk treatment and risk treatment plan:
    - 4 miti gation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
    - Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

    These materials will also help you regarding risk treatment and risk treatment plan:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Controls for malicious attack


    For malicious attack which control is necessary? As per the video it says physical and environmental security however I think it should be operation control.

    Answer: In fact both types of controls may be necessary. Physical and environmental security prevents an attacker from having direct physical access to an asset (e.g. access to a paper document, a server, a switch, etc.), while by using operation controls you can handle risks related to abuses while operating equipment and facilities, as well as attacks that can be performed remotely (e.g., invasion through software exploitation). The application of different types of controls to protect an asset is what we call defense in depth.

    These articles will provide you further explanation about how to use different controls to apply the same security concept:
    - Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-ar eas/
    - Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/

    This material will also help you regarding defense in depth:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • OH&S training for employees


    Answer:

    It is hard to give you an estimate for training of 864 people especially without any information on what kind of training they need. I assume not all of them need to attend some external training and most of the training can be done with internal resources, for example, occupational safety officer or engineer can provide training on personal protective equipment.

    Since the lot of people are involved and potentially lot of money, you need to define first who needs what kind of training and then to find the best cost-effective method to provide the training to your employees. When it comes to OHSAS 18001 requirements, the standard itself doesn't require any training to be conducted for requirements of the standard, you may need couple of person to attend internal auditor training for OHSAS 18001 and for the rest, you need to identify what kind of training is needed, but in most cases it will be related to operating machines and personal protective equipment.

    For more information, see: Do you have to train your whole workforce on the OHSAS 18001 standard? https://advisera.com/18001academy/blog/2016/05/26/do-you-have-to-train-your-whole-workforce-on-the-ohsas-18001-standard/

  • Mandatory documents and risks and opportunities in processes


    Answer:

    To learn about mandatory documents and records required by IATF 16949, see: List of mandatory documents required by IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/list-of-mandatory-documents-required-by-iatf-16949-2016/

    When it comes to identification of risks and opportunities within the processes, you need to ask yourself what can go wrong in the processes, what can cause a defect and what can be done to improve process performance. The risks and opportunities identified this way should be evaluated according to methodology the company has adopted and actions need to be taken to address the risks and opportunities.

  • Sistemas Integrados de Gestión


    Estaría bien si trato a salud ocupacional y a ambiental como procesos del sistema de gestión de calidad...?"

    Mi respuesta:

    Si quisieras implementar un sistema de gestión integrado (SIG) necesitarás definir una política integrada. La política comprende los objetivos generales, intenciones y rumbo que la dirección de la organización ha identificado. Como la nueva versión de las normas comparten la misma estructura, existe una mayor facilidad para la integración de los sistemas, siendo a su vez más coherentes.

    No puedes tratar la salud ocupacional o el medio ambiente como procesos dentro de ISO 9001, ya que un proceso es una serie de actividades interrelacionadas o que interactuan entre sí que emplean entradas para generar un resultado esperado. Los procesos utilizan recursos para transformar las entradas en el sistema en resultados (salidas). Están interconectadas, ya que el resultado de un proceso a menudo se convierte en la entrada para otro proceso. Por ejemplo, un proceso podría ser: proceso de montaje, proceso de ventas, proceso de fabricación, etc.

    Para más información, puedes ver "Cómo integrar ISO 14001 e ISO 9001": https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/#
    --

  • NDAs and non-competition clauses


    Is this clause mandatory for ISO 27001 compliance ? Can it be avoided ? Is there any best/shared practices how to successfully implement this without forcing an employees to sign non-competion clause or non-disclosure agreement after end of the contract? *(as i outlined – this can be rather costly wi th increased attrition..)

    Answer:

    Control A.7.3.1 is not about non-competition clauses, it is about how to close/change the access to systems and data after an employee leaves the company, or changes his/her position within the company.

    Non-competition clauses and NDAs are normally defined as part of control A.7.1.2 Terms and conditions of employment. If you want to avoid non-competition clause and you are afraid that particular employee might abuse the information when starting to work for the competition, then you should not allow this employee to access your most sensitive information and/or your business model should be developed in such way that its competitiveness cannot be threatened solely by information leakage.

    Any control can be avoided, i.e. declared non-applicable - this must be done in the Statement of Applicability, based on the results of the risk assessment - here are the articles that explain the details:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  • Risk assessment frameworks


    Answer: Since your scope is IT, I'd suggest you to implement COBIT, since this framework was designed having IT in mind. ISO 27001 can help with specifics about information security in IT, but this ISO standard is focused on information protection, and it is not so detailed on IT controls as COBIT.

    Unfortunately, COBIT is not in our expertise (we work with ISO standards), but you can find some useful information here: https://www.isaca.org/knowledge-center/risk-it-it-risk-management/pages/default.aspx

    Some materials are free to access and others are free but require registration.

    For an overview of risk assessment on ISO 27001 I suggest you these articles:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowl edgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

    These materials will also help you regarding ISO 27001 Risk Assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    If you would like to try Risk assessment for ISO 27001, you can take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    This toolkit contains the following documents: 1) Risk Assessment and Risk Treatment Methodology, (2) Risk Assessment Table, (3) Risk Treatment Table, (4) Risk Assessment and Treatment Report, (5) Statement of Applicability, and (6) Risk Treatment Plan. You just have to scroll down the screen a little to access the free demo tab.

    The material is editable and you can make adjustments to fulfil your needs.
Page 899-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +