Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Making the transition to IATF 16949


    Answer:

    Since the IATF 16949 is rather complex standard, the transition process should be conducted as a project. First step should be to conduct a GAP analysis to determine to what level your existing QMS is compliant with IATF 16949 and what needs to be done to achieve full compliance with the standard. Once you determine the gaps, yo can develop project plan for the transition, defining what needs to be done, who will do it, what resources are needed and what are the deadlines.

    Then you can start implementing new requirements of the standard. The most important changes are related to context of the organization and addressing risks and opportunities but almost every clause has suffered changes to some extent.

    For more information, see: 12 steps to make the transition from ISO/TS 16949:2 009 to IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/12-steps-to-make-the-transition-from-isots-16949-2009-to-iatf-16949-2016/

  • Is FMEA necessary for ISO 9001:2015

    If you are producing parts for an IATF-certified customer, your customer may request FMEA from you. Normally, it is not a subject required by the ISO 9001 standard. You can get training support for FMEA, or you can request a deviation from your customer in this regard.

  • Change Management


    Answer: Regarding ISO 27001, you have two issues here:
    - Clause 8.2 of ISO 27001 says that when significant changes occur, risk assessment needs to be performed.
    - Control A.12.1.2 from Annex A requires changes to be managed so you can ensure they are authorized, controlled and risks of problems during the change are minimized.

    Said that, first you should perform a risk assessment to re-evaluate the risks considering the new location (some new risks may arise or already identified risks may change values, requiring adjustments in your risk treatment plan). After that you should proceed with the risk management procedure.

    For these two activities, I suggest you to take a look at the free demo of these documents:
    - Risk Assessment and Risk Treatment Methodology https://advisera.com/27001academy/documentation/risk-assessment-and-risk-t reatment-methodology/
    - Change management Police https://advisera.com/27001academy/documentation/change-management-policy/
    - Business continuity plan https://advisera.com/27001academy/documentation/business-continuity-plan/

    The risk assessment and treatment methodology can help you to re-evaluate the risks, the change management plan can help you organize the whole change process, and the business continuity plan can help you organize the specific activities related to the change and how to handle potential problems if they occur.

    These articles will provide you further explanation about change management:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

    These materials will also help you regarding change management:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course

  • Audit findings


    Answer:

    When presenting nonconformities and concerns as a result of internal or certification audit, it is important to relate them to some requirement of the standard to make them have more impact. The situation you've pointed out is very interesting but there is no easy way to present such findings to the top management.

    The requirement that you can reference to when prese nt these findings is from clause 5.3 where the top management should assign responsibility and authority for ensuring that the processes are delivering their intended outputs. This means that the process owner should have authority to make decisions within the process and he is responsible for the effectiveness of the process.

    For more information, see: How to comply with new leadership requirements in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-comply-with-new-leadership-requirements-in-iso-90012015/

  • Internal audit according to ISO 9001:2015

    What are the changes the auditor would expect in terms of Internal Audit as per ISO 9001: 2015. Do we need to perform 1 cycle of auditing for all processes i.e. core, support, control processes etc?

    Also would like to know should the top management be audited as well for the shall requirements?

    Answer:

    Requirements regarding the internal audit process haven't changed significantly compared to the previous version. The only change is that you no longer need documented procedure for internal audit and the requirements to be audited are different. Before having the certification audit, it is recommendable to conduct full cycle of internal audit but this was also the case with the previous version of the standard.

    Internal audit should cover entire scope of the QMS, and this includes auditing requirements related to the top management.

    For more information, see: Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/

  • Standard review and recertification cycle


    Answer: The review of an ISO standard generally starts 5 years after its release, and this process takes up to 3 years to release a new version. Of course if an industry or community presents a justifiable request this time between reviews may change, but the duration of the review process remains within the 3 years time frame.

    2 - Can you advise me how re-certification is achieved?

    Answer: For the certification body, the re-certification process is the same as the certification one, the certification auditor will go through all the certification scope during the audit, to verify if all requirements of the standard, as well as the requirements defined by the organization, are in place and working as expected.

    For the organization, when the recertification involves the release of a new version of the standard, the re-certification process starts with a gap analysis between the old and the new versions of the standard, so you can identify what has changed and which actions should be done to comply with the new requirements.

    After the new requirements are implemented, you have to ensure they are properly operated, controlled and that they achieve the expected results, through internal audit and management review, so you can have the necessary evidences that the new requirements are all properly implemented, and that identified problems are handled through corrective actions.

    These articles will provide you further explanation about certification process:
    - Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
    - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

  • Checklist for EU GDPR


    1) Is there any draft questionnaire or checklist for the compliance of EU GDPR? Like any set of questions which any company(may be from different industries) answers to show its compliance with GDPR. If there exists and you know, kindly forward me such link.

    Answer: Unfortunately EU GDPR is not our main area of expertise (we work with ISO standards). Considering specific clause of EU GDPR I suggest you to consult GDPR site (https://www.eugdpr.org/more-resources-1.html). In this page you will find links to legal evaluations and other compliance information considered relevant to GDPR.

    2) DLP in itself says that there should be no data leakage from the organisation so one has to monitor what data is at rest/transit/motion. But if you monitor all the data of the employee then it invades its privacy which is against the personal liberty. I am trying to figure out what is the threshold where data can be monitored and beyond which monitoring invades privacy. Is there a draft set of rules or laws which specifically implement DLP keeping in mind the personal liberty of the employee. Along with this, the DLP monitoring should be compliant with EU GDPR as well.

    Answer: Privacy laws can be very different from country to country, so it is very difficult to try to identify common thresholds. In terms of ISO 27001 good practices would be:
    - Establish enterprise-wide network and systems usage policies, so there are clear rules about what can be sent or received through organization resources
    - Ensure every employee is aware of monitoring practices by means of newsletters and other forms of organizational communication. This measure also can help prevent undesirable data losses.

    For our template Acceptable Use Policy you can take a look at this link https://advisera.com/27001academy/documentation/it-security-policy/

    You just need to scroll down a little to find the free demo tab.

  • Document classification


    Answer:
    Based on the details, I assume you are implementing Information Security process and related controls.
    I would suggest that you make agreement on company level what document confidentiality levels you will use. In such way you will avoid having (e.g. for same kind of document) different confidentiality levels.

  • Training on non conformities

    (Hi, good afternoon, the 4 books I buy are very helpful. But I lack more training in raising NO CONFORMITIES. How can you help me on that?)

    Answer: To raise a non conformity you need to identify three conditions:
    1 - the situation itself that demonstrates the non conformity
    2 - the requirement being followed (e.g., procedure, policy, or standard clauses)
    3 - an evidence (e.g., lack of record)

    These are the main guidelines for auditors.

    This articles will provide you further explanation about non conformities and corrective actions, and audit:
    - Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
    -ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-fo r-my-career/

    To learn about audit techniques I suggest you to take a look at our ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/

  • Personal certification maintenance


    Answer: Yes, you can use the hours of attended Advisera online courses to claim PDUs for your PMP certification. You only have to ensure you keep an evidence of attending the course, to present in case PMI request it, as part of its random audit process. This evidence may be the confirmation of your enrol to the course or the course certificate (I suggest you to verify on PMI PDU program which one is better).
Page 904-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +