Lo anterior es porque que trato de eliminar el número de formato dados de alta en el SGC y reducirlo.
Me gustaría una opinión sobre que criterios debería aplicar para la codificar un registro y si lo que se decidan usar en electrónico como una base de datos debería codificarse?
En cuanto a la codificación de los registros, el estándar sólo exige que la información debe ser identificable y trazable, así que podría utilizar su propio criterio. Mi recomendación es aplicar un sistema sencillo, que pueda ser comprendido por todos los empleados de la empresa, para que puedan encontrar los documentos de forma fácil y rápida.
ISO 9001 and ISO 17025
Answer:
ISO/IEC 17025 standard specifically addresses factors relevant to a laboratory’s ability to produce precise, accurate test and calibration data. The main difference between ISO 17025 and ISO 9001 is the accreditation and certification. ISO 17025 stands for accreditation, which means the recognition of competence of specific technical competence. ISO 9001 stands for certification, which means accordance with a standard assessed by management systems, certified by any independent body that is internationally agreed. Also, there is the difference with the accurate products. ISO 9001 does not mean accurate products are produced. For that, product should be approved by ISO 17025.
The standards are too different when it comes to requirements and structure so it will be very difficult to integrate them. Besides docu ment and record control, corrective actions, internal audit and management review there is no a lot of similarities. ISO 9001 can be used as a supplement for ISO 17025 to meet requirements of ISO 17025 clauses 4.1 and 4.2 but other than that there is no much place for integrating them.
Quality objectives and plans to achieve them
A) Automate 100% of HR processes by end of Year?
B) Over the period of 3 months (May to July), determine the skills, knowledge, and resources needed to full automation of HR processes before end of current year?
Please advise.
Answer:
The objectives need to be SMART (Specific, Measurable, Attainable, Relevant and Timely) and the objective itself doesn't need to explain how it will be achieved. For that, the standard requires plans for achieving the quality objectives. The plan includes defining actions, responsibilities, resources and deadlines.
Example "A" that you provided is a good example of the quality objective, example "B" seems more like a plan f or achieving the objective "A".
El nombre de PDCA viene de las palabras en inglés "Planificar, Hacer, Revisar, Actuar". Esta metodología describe cuatro fases que necesitan ser llevadas a cabo de manera sistemática para poder lograr una mejora continua y por lo tanto, una mayor productividad en la empresa. Cuando se alcanza la fase final ("Actuar") se regresará a la primera fase ("Planificar") y de nuevo se repetirá el ciclo, de esta forma las actividades serán reevaluadas periódicamente.
Además, como el primer paso en el ciclo PDCA es Planificar, habrá que realizarse un diagnóstico inicial, en el cual se determinen las actividades en la organización que necesitan hacerse para cumplir con los requerimientos de la norma ISO 9001:2015. Todo ello conducirá a una mayor productividad, trabajando de una manera más eficaz ya que todos los procesos estarán alineados y serán comprendidos por el personal de la organización.
Just as a background: We (our team of 3) have just finished the ISO 27001 (ISMS), 5 days training course and also we have cleared the written examination.
However, as the trainer explained to us on the final day, that for us to be IRCA certified Lead Auditors, we need to pay a certain royalty fee to IRCA, also, we need to gain some experience as observers/auditors in a certain time frame. So, could you please explain the process further?
Answer: IRCA's fees vary from country to country. To have precise information regarding you country you can find it here: https://www.quality.org/content/irca-fees
Regarding audit experience, you must have at least 20 days of auditing, including at least 15 on site (this generally covers 3 or four certifications audit). For more information, see: https://www.quality.org/article/auditor
Organizational context
Please specify on which type of context organisation has its own controls and on which not?
Answer: For different contexts you can consider banks, hospitals and internet providers. All of them have specific business requirements to drive information security. Banks need to protect account holders financial data, hospitals need to protect patient's health data, and internet providers must protect users data flow. All of them must protect confidentiality, integrity and availability, but for different information, and in different degrees, so they will require different controls set and security levels.
For example, the acceptable delay in providing information for a internet user can be completely different from a hospital patient, leading to a different set of controls.
Regarding responsibility for controls, organizations that run its own IT infrastructure owns much more controls than those which outsource them, for example, by adopting a Software as a Service Solution.
Answer: Most frequently, the duration used for NDAs is 2, 3, and 5 years, but you can define a different period based on a risk assessment (a NDA can even last forever), and you do not have to define one single period for all your information. But you have to notice that the longer is the period, the greater is the cost involved.
Answer: Cryptographic controls can be tested during information system development or operation. During development, you can ensure testing by applying controls from section A.14 (14.2.8 - System security testing and 14.2.9 - System acceptance testing), and for regular testing in operation, controls A.14.2.3 - Technical review of applications after operating platform changes and A.18.2.3 - Technical compliance review are good choices.