Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Certification costs
Answer: The main certification's costs area are related to the size of the scope and the controls to be implemented, so I suggest you to verify if the scope size is appropriated to the organization's objectives for the ISMS and which are the risks levels the organization is willing to accept (the more risk taken, the less controls will be regarded as necessary). A smaller scope and less controls to be implemented will also reduce the implementation time. During implementation, a way to shorten the time is to implement some normally sequential controls at same time (e.g. information classification and back up). But please note that these alternatives should be well weighte d considering the risks of your implemented system ends up lacking the capacity to work properly.
To help you validate you implementation duration estimative, try our Free Calculator – Duration of ISO 27001/ISO 22301 Implementation (https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/)
This article will provide you further explanation about reducing ISMS costs:
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
These materials will also help you regarding implementing an ISMS:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project -
Transition of ISO 13485 and maintaining ISO 9001
Answer:
If you do not have requirements by your customers to have ISO 9001 certificate, my advice would be to cancel the certificate. The reason is that the new version of ISO 13465 is aligned with ISO 9001:2008 and does not follow new ISO 9001:2015. Keeping both standards will make you have all old requirements from ISO 9001:2008 together with new requirements of ISO 9001:2015 and ISO 13485:2016 and there is no need to create such robust system if there are no requirements by the customers in this regards. And you will also save money on the certification fees. -
Qualifications of the Management Representative
The MR doesn't have to have formal education regarding QMS or ISO 9001, the standard doesn't prescribe qualifications for the MR. New version of the standard doesn't even requires MR as a role in the QMS. For more information, see: What will be the destiny of the management representative in the new ISO 9001:2015? https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
2. Is is possible that the Document Controller become QMR or appointed as QMR?
Yes, but considering the usual duties of the MR, maybe it is better to have somebody from the production or some other core process in the company. On the other hand, Document Controller has experience with administrations so his or her contribution to the QMS can be valuable. For more information, see: Choosing the best person for the job of quality management representative https://advisera.com/9001academy/blog/2014/06/03/choosing-best-person-job-quality-management-representative/
3. What are the Qualification to become a QMR
There are no formal requirements regarding qualifications for the MR, but it is reasonable to expect that this person is familiar with the standard and processes within the company. Here you can sign up for our free online ISO 9001 Foundation course https://advisera.com/training/iso-9001-foundations-course/ -
Section 4.4.1.2 Product Safety
Thank you that was very helpful. -
Toolkit documents
Answer: The document in the Toolkit which covers the ISO 27001 clause 7.5 is the Procedure for Document and Record Control located in the folder 00 Procedure for Document and Record Control.
By the way, in the root folder of the toolkit you'll see a document called 'List of documents' where you'll see a list of all documents in the toolkit together with the clauses of the standard that are covered by each document. -
IATF 16949 transition
Answer:
Since the IATF 16949 is rather complex standard, the transition process should be conducted as a project. First step should be to conduct a GAP analysis to determine to what level your existing QMS is compliant with IATF 16949 and what needs to be done to achieve full compliance with the standard. Once you determine the gaps, yo can develop project plan for the transition, defining what needs to be done, who will do it, what resources are needed and what are the deadlines.
Then you can start implementing new requirements of the standard. The most important changes are related to context of the organization and addressing risks and opportunities but almost every clause has suffered changes to some extent. -
ISO 14001 in procurement process
Answer:
The standard requires organization to control or influence outsourced processes and procured products or services. As far as the outsourced processes are concerned, depending on the ability of the organization to enforce controls, the organization can define work instruction for the outsourcing partner, conduct audits, etc. It will all depend on how the relations between the organization and outsourced partner are arranged and the standard doesn't define to what extent the controls should be applied.
When it comes to procurement of products and services, the organization can define environmental protection criteria when performing the procurement or to insist on procuring recyclable raw materials, etc.
For more information, see: Defining and implementing operational control in ISO 14001:2015 https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/ -
Implementing ISO 9001 in hospital
Answer:
By implementing ISO standard, I assume you mean ISO 9001, but the implementation process wouldn't differ too much from standard to standard, only the different requirements would be implemented.
Assuming that you already have support from the top management, the best way to start the implementation process is by conducting GAP analysis to determine to what extent your organization is already compliant with the standard and what needs to be done to achieve full compliance with the standard. Once you determine the gaps, you can develop project plan for the implementation defining what needs to be done, who will do it, what resources are needed and what are the deadlines.
Then you should start implementing requirements of the standard and the implementation process is consisted of developing documents, updating and establishing processes to meet all applicable requireme nts of the standard. When the implementation project is over, you should conduct internal audit and management review to ensure that your Quality Management System is compliant with ISO 9001. Finally, you can hire certification body to conduct the audit and issue your company the certificate.
For more information about the implementation, see: Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
As far as the standard manual is concerned, it is no longer a mandatory document, so you can decide whether to develop it or not. For more information, see: The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/ -
ISO 27001 references
Answer: ISO 27001 books are a good support to understand the concepts and find details about how implement the standards requirements, but these are not substitute for the standard, that you should also consider to buy (the link for buying the standard is https://www.iso.org/isoiec-27001-information-security.html).
This material will also help you regarding ISO 27001 understanding:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk treatment
Is there any sample threat and vulnerabilities database that can be used for contractual agreement, outsourcing, SLA and regulatory requirement.
Answer: Our Risk Treatment Plan does not have drop-down menu for threats and vulnerabilities because this is part of the risk assessment and is covered in the Risk Assessment Table. As our video tutorial shows, you should simply copy the unacceptable risks (with all the assets, threats and vulnerabilities) from the Risk Assessment Table and paste them into the Risk Treatment Table.
In the Risk Assessment Table you'll find a list of of threats and vulnerabilities related to outsourcing, SLAs and regulatory requirements: e.g., breach of contractual relations, breach of legislation, unauthorized access to facilities allowed and unclearly defined rules for access control.