Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Mandatory records and retention time in IATF 16949


    Answer:

    You can find the list of mandatory documents and records here: List of mandatory documents required by IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/list-of-mandatory-documents-required-by-iatf-16949-2016/

    The standard requires organization to define, document and implement record retention policy that can be part of Procedure for Document and Record Control. For most of the documents, the organization itself can define the retention time while for production part approvals, tooling records, product and process design records, purchase orders pr contracts and amendments should be retained for the length of the time that the product is active for production and service requirements, plus one calendar year, unless otherwise specified by the customer or regulatory agency.

  • Introducing an RfC

    Following an ITIL Service Portfolio Management process (SPM) there can found 4 types of process initiators (Strategic iniciative, Request from business, Service improvement and Service suggestion). We call all of them as "iniciatives", not requests for change (RFC). So when business wants to change an application, it is not called RFC from the beginning. It is called INI.
    The change proposal is introduced in the 3rd activity of SPM process (approve), when authorisation from a change management is needed to proceed the INI to implementation project (covering design & transition phases of new/changed services). After having accepted of the new/changed services the RFC are generated in order to authorise a deployment of new/changed services into a production environment (where "final changes" of CIs are performed).

  • Risks and opportunities in ISO 9001

    Could you please clarify my understanding by providing an example?
    Thank you very much, Mr. Stojanovic.

    Answer:

    The standard requires organization to identify and address risks and opportunities related to the QMS effectiveness, which includes quality and conformity of products and services, customer satisfaction, QMS performance etc. Risks related to occupational health and safety for example, shouldn't be considered when identifying risks and opportunities for the QMS,

    Same as the risks, the opportunities are focused on the QMS, its effectiveness and ability to achieve the objectives and this is the place to look for them.

    The risk can arise either from external or internal context. For example, he organization can have outdated equipment and there is a risk of nonconforming products in the production process, as an action to address the risk, the organization can increase frequency of preventive maintenance of the equipment to avoid failures.

    For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

  • Implementing ISO 9001 without any help


    Answer:

    ISO 9001 can be implemented without any external help but this approach (although the least expensive) will take a lot time since the persons in charge of the implementation will have to understand the requirements of the standard and find a way to implemented them. Also, you cannot be sure that you implemented all requirements of the standard before the certification audit and that is the most inconvenient moment to find out that you have far too many nonconformities to get the certificate.

    However, there are other options for the implementation that do not include hiring a consultant for entire project but just gaining the know how when you need it. For more information, see: Look at your options
    https://advisera.com/9001academy/consultant/iso9001-process/

  • People related threats and vulnerabilities


    Answer: In fact, the loss of knowledge is an impact (the effect of a realized risk), that can be result of several types of risks, including risks related to people.

    Considering the asset-threat-vulnerability methodology, some people-related risks that can result in loss of knowledge are:
    - Social engineering: people may be induced by an attacker to inadvertently facilitate the theft of information. A vulnerability would be people without knowledge on how identify and handle social engineering attacks.
    - Corruption: people may be induced by an attacker to steal information. A vulnerability would be people personal problems.
    - Any event that can make people unavailable or inaccessible (e.g., better job offers, sickness, death, transport strike, etc.). A vulnerability would be people behaviour of not documenting knowledge.

    This article will provide you further explanation ab out risk assessment:
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Effectiveness of the corrective actions


    Answer:

    The purpose of the corrective action is to remove the cause of the nonconformity and prevent it from happening again. If the corrective action managed to achieve this, than it is considered as effective. For example, if corrective action process determined that the cause of the nonconformity was lack of training and you perform training as a corrective action, if the nonconformity is not recurring, than the corrective action was effective.

    For more information, see: Using corrective actions to eliminate nonconformities and drive health & safety improvements https://advisera.com/18001academy/blog/2017/02/15/using-corrective-actions-to-eliminate-nonconformities-and-drive-health-safety-improvements/

  • Making the transition to IATF 16949


    Answer:

    Since the IATF 16949 is rather complex standard, the transition process should be conducted as a project. First step should be to conduct a GAP analysis to determine to what level your existing QMS is compliant with IATF 16949 and what needs to be done to achieve full compliance with the standard. Once you determine the gaps, yo can develop project plan for the transition, defining what needs to be done, who will do it, what resources are needed and what are the deadlines.

    Then you can start implementing new requirements of the standard. The most important changes are related to context of the organization and addressing risks and opportunities but almost every clause has suffered changes to some extent.

    For more information, see: 12 steps to make the transition from ISO/TS 16949:2 009 to IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/12-steps-to-make-the-transition-from-isots-16949-2009-to-iatf-16949-2016/

  • Is FMEA necessary for ISO 9001:2015

    If you are producing parts for an IATF-certified customer, your customer may request FMEA from you. Normally, it is not a subject required by the ISO 9001 standard. You can get training support for FMEA, or you can request a deviation from your customer in this regard.

  • Change Management


    Answer: Regarding ISO 27001, you have two issues here:
    - Clause 8.2 of ISO 27001 says that when significant changes occur, risk assessment needs to be performed.
    - Control A.12.1.2 from Annex A requires changes to be managed so you can ensure they are authorized, controlled and risks of problems during the change are minimized.

    Said that, first you should perform a risk assessment to re-evaluate the risks considering the new location (some new risks may arise or already identified risks may change values, requiring adjustments in your risk treatment plan). After that you should proceed with the risk management procedure.

    For these two activities, I suggest you to take a look at the free demo of these documents:
    - Risk Assessment and Risk Treatment Methodology https://advisera.com/27001academy/documentation/risk-assessment-and-risk-t reatment-methodology/
    - Change management Police https://advisera.com/27001academy/documentation/change-management-policy/
    - Business continuity plan https://advisera.com/27001academy/documentation/business-continuity-plan/

    The risk assessment and treatment methodology can help you to re-evaluate the risks, the change management plan can help you organize the whole change process, and the business continuity plan can help you organize the specific activities related to the change and how to handle potential problems if they occur.

    These articles will provide you further explanation about change management:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

    These materials will also help you regarding change management:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course

  • Audit findings


    Answer:

    When presenting nonconformities and concerns as a result of internal or certification audit, it is important to relate them to some requirement of the standard to make them have more impact. The situation you've pointed out is very interesting but there is no easy way to present such findings to the top management.

    The requirement that you can reference to when prese nt these findings is from clause 5.3 where the top management should assign responsibility and authority for ensuring that the processes are delivering their intended outputs. This means that the process owner should have authority to make decisions within the process and he is responsible for the effectiveness of the process.

    For more information, see: How to comply with new leadership requirements in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-comply-with-new-leadership-requirements-in-iso-90012015/
Page 904-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +