Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Audit process


    (Hello, the book gives you a slight idea of an internal audit but does not explain each step in detail, neither what documents are needed or generated, nor how they should be generated. Can you help me with this?)

    Answer: Since you already have read the book, for a detailed explanation about the steps of an internal audit, I suggest you to take a look at one of our free online courses about internal audit:
    -ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
    -Curso Auditor Interno ISO 9001:2015 https://advisera.com/es/formacion/curso-auditor-interno-iso-9001/
    -Curso Auditor Interno ISO 14001:2015 https://advisera.com/es/formacion/curso-de-auditor-interno-iso-14001/

    These courses have modules specifically devised to present an overview of the requirements of t he related standard and details of the internal auditing process, which is basically the same for all of them.

    Regarding required documentation, ISO Management Standards released since 2012 do not demand too much, only an Internal audit program (clause 9.2) and the results of internal audits (clause 9.2). For generating this documentation it is recommended that you define a procedure for internal audit (but this procedure is not mandatory by any standard). To help you with this documentation, I suggest you to take a look at the free demo of our internal audit toolkits:
    -ISO 27001/ISO 22301 Internal Audit Toolkit https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
    -ISO 9001:2015 Internal Audit Toolkit https://advisera.com/9001academy/iso-9001-2015-internal-audit-toolkit/
    -ISO 14001:2015 Internal Audit Toolkit https://advisera.com/14001academy/iso-14001-2015-internal-audit-toolkit/

    These toolkits contains the following documents: Internal Audit Checklist, Procedure for Internal Audit, Annual Internal Audit Program, and Internal Audit Report . With these you will be able to properly plan and perform internal audits.

    This article will provide you further explanation about audit process considering ISO 27001:
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

    If you feel you need additional information, you can schedule a free consultation with one of our experts:
    -For ISO 27001: https://advisera.com/27001academy/consultation/
    -For ISO 14001: https://advisera.com/14001academy/free-consultation/
    -For ISO 9001: https://advisera.com/9001academy/free-consultation/

  • Scope review


    Answer: Since part of the activities that were performed by your client are now under control of its managed service vendor it has to modify the scope to reflect this new situation. The main point to consider here is how much direct control the organizations has over the applications and databases hosted on the outsourced data center. For example:

    - If the organization controls both the applications and databases (the data center only provides the physical and virtual machines), only the basic infrastructure of the datacenter should be excluded from the ISMS scope.

    - If the organization uses the applications as a s ervice made available by the provider, only the organization's database should be included in the ISMS scope.

    This article will provide you further explanation about Scope review:
    - Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

    These materials will also help you regarding Scope review:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Mandatory records and retention time in IATF 16949


    Answer:

    You can find the list of mandatory documents and records here: List of mandatory documents required by IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/list-of-mandatory-documents-required-by-iatf-16949-2016/

    The standard requires organization to define, document and implement record retention policy that can be part of Procedure for Document and Record Control. For most of the documents, the organization itself can define the retention time while for production part approvals, tooling records, product and process design records, purchase orders pr contracts and amendments should be retained for the length of the time that the product is active for production and service requirements, plus one calendar year, unless otherwise specified by the customer or regulatory agency.

  • Introducing an RfC

    Following an ITIL Service Portfolio Management process (SPM) there can found 4 types of process initiators (Strategic iniciative, Request from business, Service improvement and Service suggestion). We call all of them as "iniciatives", not requests for change (RFC). So when business wants to change an application, it is not called RFC from the beginning. It is called INI.
    The change proposal is introduced in the 3rd activity of SPM process (approve), when authorisation from a change management is needed to proceed the INI to implementation project (covering design & transition phases of new/changed services). After having accepted of the new/changed services the RFC are generated in order to authorise a deployment of new/changed services into a production environment (where "final changes" of CIs are performed).

  • Risks and opportunities in ISO 9001

    Could you please clarify my understanding by providing an example?
    Thank you very much, Mr. Stojanovic.

    Answer:

    The standard requires organization to identify and address risks and opportunities related to the QMS effectiveness, which includes quality and conformity of products and services, customer satisfaction, QMS performance etc. Risks related to occupational health and safety for example, shouldn't be considered when identifying risks and opportunities for the QMS,

    Same as the risks, the opportunities are focused on the QMS, its effectiveness and ability to achieve the objectives and this is the place to look for them.

    The risk can arise either from external or internal context. For example, he organization can have outdated equipment and there is a risk of nonconforming products in the production process, as an action to address the risk, the organization can increase frequency of preventive maintenance of the equipment to avoid failures.

    For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

  • Implementing ISO 9001 without any help


    Answer:

    ISO 9001 can be implemented without any external help but this approach (although the least expensive) will take a lot time since the persons in charge of the implementation will have to understand the requirements of the standard and find a way to implemented them. Also, you cannot be sure that you implemented all requirements of the standard before the certification audit and that is the most inconvenient moment to find out that you have far too many nonconformities to get the certificate.

    However, there are other options for the implementation that do not include hiring a consultant for entire project but just gaining the know how when you need it. For more information, see: Look at your options
    https://advisera.com/9001academy/consultant/iso9001-process/

  • People related threats and vulnerabilities


    Answer: In fact, the loss of knowledge is an impact (the effect of a realized risk), that can be result of several types of risks, including risks related to people.

    Considering the asset-threat-vulnerability methodology, some people-related risks that can result in loss of knowledge are:
    - Social engineering: people may be induced by an attacker to inadvertently facilitate the theft of information. A vulnerability would be people without knowledge on how identify and handle social engineering attacks.
    - Corruption: people may be induced by an attacker to steal information. A vulnerability would be people personal problems.
    - Any event that can make people unavailable or inaccessible (e.g., better job offers, sickness, death, transport strike, etc.). A vulnerability would be people behaviour of not documenting knowledge.

    This article will provide you further explanation ab out risk assessment:
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Effectiveness of the corrective actions


    Answer:

    The purpose of the corrective action is to remove the cause of the nonconformity and prevent it from happening again. If the corrective action managed to achieve this, than it is considered as effective. For example, if corrective action process determined that the cause of the nonconformity was lack of training and you perform training as a corrective action, if the nonconformity is not recurring, than the corrective action was effective.

    For more information, see: Using corrective actions to eliminate nonconformities and drive health & safety improvements https://advisera.com/18001academy/blog/2017/02/15/using-corrective-actions-to-eliminate-nonconformities-and-drive-health-safety-improvements/

  • Making the transition to IATF 16949


    Answer:

    Since the IATF 16949 is rather complex standard, the transition process should be conducted as a project. First step should be to conduct a GAP analysis to determine to what level your existing QMS is compliant with IATF 16949 and what needs to be done to achieve full compliance with the standard. Once you determine the gaps, yo can develop project plan for the transition, defining what needs to be done, who will do it, what resources are needed and what are the deadlines.

    Then you can start implementing new requirements of the standard. The most important changes are related to context of the organization and addressing risks and opportunities but almost every clause has suffered changes to some extent.

    For more information, see: 12 steps to make the transition from ISO/TS 16949:2 009 to IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/12-steps-to-make-the-transition-from-isots-16949-2009-to-iatf-16949-2016/

  • Is FMEA necessary for ISO 9001:2015

    If you are producing parts for an IATF-certified customer, your customer may request FMEA from you. Normally, it is not a subject required by the ISO 9001 standard. You can get training support for FMEA, or you can request a deviation from your customer in this regard.
Page 904-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +