I need your expertise in understanding clause 9.3.2c (3) and 9.3.2c (5) of the ISO 9001:2015 standards.
Appreciate if you could provide examples to satisfy this requirements.
Thank you in advance.
Answer:
The clause 9.3.2c) (3) requires organization to gather information on trends in the process performance and conformance of products and services which means that the organization needs to determine the key process indicators and measure them to gather information on the process performance and as an input for product conformance the company can use registry of nonconformities to see how many products o services where nonconforming to the requirements. For more information, see: How to define Key Performance Indicators for a QMS based on ISO 9001 https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
The clause 9.3.2c) (5) requires organization to gather information on trends in monitoring and measuring results. The organization needs to define what needs t o be monitored and measured and how frequently, for example, the organization can measure customer satisfaction twice a year and present the top management with information whether the customer satisfaction increased or not. For more information, see: Analysis of measuring and monitoring requirements in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/analysis-of-measuring-and-monitoring-requirements-in-iso-90012015/
Becoming an ISO 22301 Lead Auditor
Answer: If you are aiming for an accredited certificate (which is internationally recognized and part of the process to become an auditor for a certification body), to my knowledge there are no ISO 22301 Lead Auditor courses offered online at the moment in the market.
These materials are focused on ISO 27001, but the logic is the same for ISO 22301.
Risk Assessment
Now that the Asset Register is complete, including all assets; Soft, computer, accessories, server, information and infrastructure, is it best to risk assess each item on the register to understand the threats and vulnerabilities?
Answer: Yes, you should have to assess the risks for all assets on asset register. The understanding of ISO 27001 control A.8.1.1 - Inventory of assets is that all assets in the inventory (asset register) are considered relevant in the life cycle of the information, so if you do not assess the risk for one asset you have on the register, you either have a non conformity issue, or that asset should not be in the register at all. But you should note that you also have to add to the register your employees, and suppliers (because of competencies and resources provided) - you need to perform risk assessment on them, too.
I need to ask you Which framework should we use to do an IT Audit, I know that there are different methodology like (COBIT, ISO27001, NIST).
Answer: This answer will depend upon the purpose of your audit:
- If your purpose is to verify IT governance practices, you should use COBIT as main reference.
- If your purpose is to verify IT information security management practices, you should use ISO 27001 as main reference.
- If your purpose is to verify IT practices related to computer security, you should use NIST SP-800 series as main reference.
In case your audit covers a mix of these purposes, you should make a combination of these standards.
Competitor can't be considered as an interested party because his interests are colliding with the interests of the organization. For example, Competitors are interested in gaining bigger part of the market so they would like the organization to provide low quality products by higher price and this is definitely not the kind of need and expectation you want to meet.
Answer: In terms of challenges, you can mention production losses due to information security related incidents, fees and legal actions for non compliance with legal requirements, internal confusion regarding who must do what and when, and the difficulties on maintenance of a good public image. An ISMS can help handle all these items. For example, by implementing proper security controls you can minimize the occurrence and/or impact of incidents, and by establishing policies and procedures you can define clear responsibilities and actions to be performed in relevant situations.
Or if you can help me with sample DLP framework defining exactly what it should contain or relevant references/links?
Answer: Unfortunately we do not have such specific material, but for determination of rights of employees I suggest you to take a look at these material:
ISO 27018 guidelines: This standard aims to protect Personally Identifiable Information from customers that makes use of cloud services, considering the point of view from both customers providers. You can check the orientations for customers to have an idea on what consider for your employees. For detailed information see: ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
CISPE Code of conduct: Cloud Infrastructure Service Providers in Europe (CISPE) is a coalition of technology companies focused on provisioning of cloud computing infrastructure services, and this code is an effort to help customers and providers comply with EU GDPR. You can find more information here: Data Privacy Protection, ISO 27001 and CISPE Code of Conduct https://advisera.com/27001academy/blog/2016/10/31/data-privacy-protection-iso-27001-and-cispe-code-of-conduct/
Mi duda es: Un factor interno como es una fortaleza (coge el ejemplo que quieras: documentos, informática, personal, error en objetivos, error en fabricación, en ventas en ofertas, en compras, en fabricación, en post venta, en almacenes etc…) se me convierta en una debilidad y se deba analizar ese riesgo
Entonces, ¿Qué profundidad alcanzáis cuando hacéis el análisis de riesgo?:
Todo (las amenazas + las fortalezas que se me pueden volver debilidades)
Sólo lo más evidente,
En aquellas situaciones y/o aspectos en que “suenan campanas” (por ejemplo “estamos en una burbuja inmobiliaria” y a más de uno le exploto por no tener el análisis realizado y las acciones,..).
Es evidente que si cogemos todo podemos estar escribiendo un año (eso sí, luego siempre son repeticiones y un porcentaje “vale para siempr e” y vale para todo tipo de empresas)
Mi respuesta:
La norma ISO 9001:2015 no requiere de un formato específico para la identificación de riesgos, así que puedes hacer este análisis de identificación de riesgos y oportunidades como quieras y llegar tan lejos como creas que sea necesario. Sin embargo es siempre recomendable encontrar la manera más simple y fácil de llevarlo a cabo en tu organización.
En cuanto a las oportunidades y amenazas (normalmente referidos a factores externos), un análisis PEST puede ser de ayuda para asegurar no pasar por alto factores externos como requerimientos legales o cambios tecnológicos.
Algunos consejos a la hora de utilizar un análisis DOFA son:
.- Aceptar sólo información precisa y verificabl.
- Intentar reducir largas listas de factores y priorizarlas, de este modo inviertes más tiempo en pensar en los que son realmente significativos.
- Aplicar al nivel correcto, por ejemplo, aplicar la herramienta al nivel de producto o de línea de producción en vez de a un nivel más amplio y vago de la empresa.
- Asegurar que las opciones que se han generado son llevadas a cabo en fases posteriores dentro del proceso estratégico.
You can cover with the scope only one product, but you just need to write that in your document about the scope of QMS
Quality manual in IATF 16949
Answer:
When it comes to IATF 16949 requirements regarding the manual, it requires at minimum:
a) the scope of the QMS including justification for any exclusion
b) documented processes established for the QMS or reference to them;
c) the organization's processes and their sequence and interactions (inputs and output, including type and extent of control of any outsourced processes;
d) a document (i.e. matrix) indicating where within the organization's QMS the customer specified requirements are addressed.
Previous version of the standard, ISO/TS 16949:2009 required the same as bullets a), b) and c), so if your manual meets all requirements of the new version, you do not have to make changes to it except aligning clauses of the standard. In other case, you need to make an update of your manual to meet all above mentioned requirements.