Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Waste management audit
Answer:
The first thing when auditing waste management is to see if there are any statutory and regulatory requirements regarding the type of waste being managed. If there are such legislation, then you need to see if the waste management process is compliant with these requirements first.
Then you need to see if there is any documented procedure or work instruction that explains how the waste management process is carried out and audit the process according to information provided in the procedure. This type of audit requires from the auditor to conduct interviews with employees and the manager responsible for the process to determine if the process is carried out as planned and also whether the process is effective.
For more information, see: 7 steps in handling waste according to ISO 14001 https://advisera.com/14001academy/blog/2016/11/07/7-steps-in-handling-waste-according-to-iso-14001/ -
Defining quality objective
Answer:
When defining any quality objective, you must ask yourself what is the best for the QMS and how the objective affects customer satisfaction. In case of the response to the quality issues raised by customer, the best way to respond is as soon as possible but you need to define some time frame (e.g. 24 or 12 hours) and measure your response rate so you can see if the objective is achieved or not. Also, you need to define plan for achieving the objective, in this case, it can be changing the procedure for communication with customers, or hiring new people to ensure that the response time is within limits you previously defined.
For more information, see: How to Write Good Quality Objectives https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/ -
Reaching objectives and targets in OHSAS 18001
Answer:
First step in reaching the objectives and targets is to define them in a way that enables you to evaluate level of achievement of the objectives. This means that the objectives and targets needs to be SMART (Specific, Measurable, Attainable, Relevant and Timely). Once you define the objectives and targets, you need to define programs for achieving the objectives and targets. This means that you need to define what actions will be taken, what resources are needed, who is responsible and what is the deadline for those actions. Finally, during the management review you need to evaluate level of achievement of the objectives. For more information, see: How to define OHSAS 18001 objectives and programs https://advisera.com/18001academy/blog/2015/11/11/how-to-define-ohsas-18001-objectives-and-program s/
Here you can download free preview of our Management Review Minutes for OHSAS 18001 https://advisera.com/18001academy/documentation/management-review-minutes/ -
ISO 27001 benefits
Answer: For more information about ISO 27001 you can check these materials:
- What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
The general benefits of ISO 27001 are reduction of expenses caused by incidents, increase in the efficiency on compliance with regulations regarding data protection, privacy and IT governance, increase in competitiveness, and improvement on internal organization. Considering the Rural Tourism scenario you can think about these additional benefits:
- Better protection of guests information
- Improvement on communications infrastructure quality and availability (communication is generally a problem in rural areas)
This article will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
These materials will also help you regarding ISO 27001 benefits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Lead Auditor certification
Answer: The certification is issued by the training provider. Entities like PECB, IRCA and Exemplar Global (formerly RABQSA) provide accreditation for training providers that are compliant with ISO 17024 (Conformity assessment - General requirements for bodies operating certification of persons). An certification issued by providers accredited by PECB, IRCA or Exemplar Global is globally recognized. One example is the exam from our ISO 27001 Internal Auditor course, that is certified by Exemplar Global (for more information about this internal auditor course, please see this link: https://advisera.com/training/iso-27001-internal-auditor-course/)
This article will provide you further explanation about Lead Auditor certification:
- Accreditation vs. certification vs. registration in the ISO world https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/ -
Audit process
(Hello, the book gives you a slight idea of an internal audit but does not explain each step in detail, neither what documents are needed or generated, nor how they should be generated. Can you help me with this?)
Answer: Since you already have read the book, for a detailed explanation about the steps of an internal audit, I suggest you to take a look at one of our free online courses about internal audit:
-ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
-Curso Auditor Interno ISO 9001:2015 https://advisera.com/es/formacion/curso-auditor-interno-iso-9001/
-Curso Auditor Interno ISO 14001:2015 https://advisera.com/es/formacion/curso-de-auditor-interno-iso-14001/
These courses have modules specifically devised to present an overview of the requirements of t he related standard and details of the internal auditing process, which is basically the same for all of them.
Regarding required documentation, ISO Management Standards released since 2012 do not demand too much, only an Internal audit program (clause 9.2) and the results of internal audits (clause 9.2). For generating this documentation it is recommended that you define a procedure for internal audit (but this procedure is not mandatory by any standard). To help you with this documentation, I suggest you to take a look at the free demo of our internal audit toolkits:
-ISO 27001/ISO 22301 Internal Audit Toolkit https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
-ISO 9001:2015 Internal Audit Toolkit https://advisera.com/9001academy/iso-9001-2015-internal-audit-toolkit/
-ISO 14001:2015 Internal Audit Toolkit https://advisera.com/14001academy/iso-14001-2015-internal-audit-toolkit/
These toolkits contains the following documents: Internal Audit Checklist, Procedure for Internal Audit, Annual Internal Audit Program, and Internal Audit Report . With these you will be able to properly plan and perform internal audits.
This article will provide you further explanation about audit process considering ISO 27001:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
If you feel you need additional information, you can schedule a free consultation with one of our experts:
-For ISO 27001: https://advisera.com/27001academy/consultation/
-For ISO 14001: https://advisera.com/14001academy/free-consultation/
-For ISO 9001: https://advisera.com/9001academy/free-consultation/ -
Scope review
Answer: Since part of the activities that were performed by your client are now under control of its managed service vendor it has to modify the scope to reflect this new situation. The main point to consider here is how much direct control the organizations has over the applications and databases hosted on the outsourced data center. For example:
- If the organization controls both the applications and databases (the data center only provides the physical and virtual machines), only the basic infrastructure of the datacenter should be excluded from the ISMS scope.
- If the organization uses the applications as a s ervice made available by the provider, only the organization's database should be included in the ISMS scope.
This article will provide you further explanation about Scope review:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
These materials will also help you regarding Scope review:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Mandatory records and retention time in IATF 16949
Answer:
You can find the list of mandatory documents and records here: List of mandatory documents required by IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/list-of-mandatory-documents-required-by-iatf-16949-2016/
The standard requires organization to define, document and implement record retention policy that can be part of Procedure for Document and Record Control. For most of the documents, the organization itself can define the retention time while for production part approvals, tooling records, product and process design records, purchase orders pr contracts and amendments should be retained for the length of the time that the product is active for production and service requirements, plus one calendar year, unless otherwise specified by the customer or regulatory agency. -
Introducing an RfC
Following an ITIL Service Portfolio Management process (SPM) there can found 4 types of process initiators (Strategic iniciative, Request from business, Service improvement and Service suggestion). We call all of them as "iniciatives", not requests for change (RFC). So when business wants to change an application, it is not called RFC from the beginning. It is called INI.
The change proposal is introduced in the 3rd activity of SPM process (approve), when authorisation from a change management is needed to proceed the INI to implementation project (covering design & transition phases of new/changed services). After having accepted of the new/changed services the RFC are generated in order to authorise a deployment of new/changed services into a production environment (where "final changes" of CIs are performed). -
Risks and opportunities in ISO 9001
Could you please clarify my understanding by providing an example?
Thank you very much, Mr. Stojanovic.
Answer:
The standard requires organization to identify and address risks and opportunities related to the QMS effectiveness, which includes quality and conformity of products and services, customer satisfaction, QMS performance etc. Risks related to occupational health and safety for example, shouldn't be considered when identifying risks and opportunities for the QMS,
Same as the risks, the opportunities are focused on the QMS, its effectiveness and ability to achieve the objectives and this is the place to look for them.
The risk can arise either from external or internal context. For example, he organization can have outdated equipment and there is a risk of nonconforming products in the production process, as an action to address the risk, the organization can increase frequency of preventive maintenance of the equipment to avoid failures.
For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/