Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Processes vs. Procedures
Do you have some type of template to help make the process easier to document?
Were really under the gun because we missed this when we were first looking into the transition from 2004 to 2015 and now we have to submit all paperwork to our auditor by 3-13-17.
Answer:
The process represent set of interrelated or interacting activities which transforms inputs into outputs. The key for a process is that it takes an input, performs some activities using that input, and then creates an output. On the other hand procedure is a “specified way to carry out an activity or a process.” So, when you have a process that needs to occur in one specific way, and you have specified how it is to happen, you have a procedure.
It is important to note that not every process needs to have a procedure. For instance, if you have a process that you only buy product from an approved supplier, but you do not have a defined way to add a supplier to that list, then you have a process but not a procedure to go with it.
We do have process procedures for ISO 14001:2015, they are part of our documentation toolkit, but they can also be purchased separate. Here you can download free preview of the toolkit https://advisera.com/14001academy/iso-14001-documentation-toolkit/ -
Certification benefits
Answer: Information security means the protection of information regardless the medium it refers to , and this goes well beyond IT environment (e.g., information flows through physical reports, people talk about them, etc.), and ISO 27001 can help you to ensure proper information protection in all these situations. As practical examples, I can mention that pharmaceutical companies must protect their research information , and banks must protect information about their customers. Both are non-IT organizations to which ISO 27001 is perfectly applicable.
So, I strongly recommend you to seek for certification, because besides complying with a customer demand, by implementing an Information Security Management System (ISMS) based on ISO 27001, you can achieve other benefits like enhanced competitiveness, reduction of operational costs, improved internal organization, and easiness to maintain conformity with legal requirements.
This article will provide you further explanation about certification benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
These materials will also help you regarding certification benefits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 benefits: How to obtain management support [free webinar] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/ -
How many threats and vulnerabilities to display
Answer: Theoretically, you should include every possible option, i.e. combination of threats and vulnerabilities related to each threat, even if their value is 0. However, in my opinion you shouldn't list more than 5 threats for each asset, and more than 2 vulnerabilities for each threat.
This article will give you more explanation: ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Documenting the context in internet service provider company
Answer:
The standard does not require organization to document context of the organization neither the process of determining the context. The company itself can decide how to document the context if it chooses to document it. But, since it is a new requirement, I suggest to document procedure for determining the context containing all elements of the context to be considered and using SWOT or PEST analysis as a tool for determining the context. Having documented information on context of the organization will facilitate demonstration of compliance with the requirements.
There is n predefined list of internal and external issues, the company can decide by itself what issues are relevant to its QMS. For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/ -
Procedure for document control based on ISO 9001 and ISO 22000
Answer:
Requirements for document and record control in ISO 22000 are located in clauses 4.2.2 and 4.2.3 while requirements for documented information in ISO 9001:2015 are located in clause 7.5. ISO 9001 has more precise requirements for document and record control than ISO 22000 therefore, the procedure for document and record control compliant with ISO 9001:2015 will meet requirements for document and record control in ISO 22000. All you need to do is to add reference to ISO 22000 relevant clauses in the Procedure for Document and Record Control, here you can find free preview of the document https://advisera.com/9001academy/documentation/procedure-document-record-control/ -
Check within the process vs. checks of product
I was wondering if we have checks within the process to ensure the product is good, do they need to be calibrated even if we check the final product with calibrated instruments?
Answer:
The company must demonstrate that the measuring equipment is fit for purpose, therefore the measuring equipment must be calibrated or verified, or both, at specified intervals, or prior to use. Rationale that the final measures of the product will ensure its conformity and the measuring within the process doesn't have to be 100% reliable practically means that the measurement within the process is redundant. For more information, see: Monitoring and Measurement Equipment Control https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/ the article is written based on ISO 9001:2008 but the requirements are the same -
Quality Manual referencing to document management software
Answer:
The Quality Manual is no longer required by ISO 9001:2015, therefore the requirements for Quality Manual no longer exist. The article you are referring is written according to 2008 version of the standard and that is why it states all these requirements regarding the manual. For more information, s ee: The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
The fact that the manual is no longer required does not mean it's forbidden, the company can decide to keep the manual but now it has more freedom to tailor it according to its needs. So you can reference to the certain parts or features of your software in the manual or to reference to the software as a whole. -
Environmental controls in virtual company
provides an outsourced customer service function including bespoke, personal and intelligent handling of inbound and outbound calls / emails / Livechats as well as outsourced telemarketing. -
Determining environmental context
The best way to get inputs for environmental conditions is to contact relevant local authority, in most cases they already have some study or some document that describes environmental conditions in your region. As far as events are concerned, the best way to approach it is to examine your processes and see what can influence them and what are the consequences, for example in case of fire or flood. Another important thing is to consider the immediate surroundings of the company and how it can affect your environmental performance, for example if there is a chemical industry nearby, how would their environmental incident affect your company. For more information about the context in ISO 14001, see: Determining the context of the organization in ISO 1400 https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/
2) where can I find a sample that shows how it is implemented- from SWOT analysis to determination of issues and identifica tion of interested parties and their needs and expectations?
Unfortunately, we do not have any examples available, but the SWOT analysis is very simple. It basically represents a table with four cells, each cell for strengths, weaknesses, opportunities and threats. The good thing about the SWOT analysis is that provides direct link to risks and opportunities.
When identifying interested parties, the best is to think about all instances that can affect or be affected by your company's operations in sense of the environment. Then you need to define what interested parties are really relevant and to determine their needs and expectations. For more information, see: How to determine interested parties according to ISO 14001:2015 https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-determine-interested-parties-according-to-iso-140012015/ -
External auditor questions
Answer: I suggest you take a look at the free demo of our Internal Audit Checklist (https://advisera.com/27001academy/documentation/internal-audit-checklist/). Even though it is oriented to internal auditors, it can provide you a good basis on what an external auditor can ask.
These articles will provide you further explanation about audit questions:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
These materials will also help you regarding audit questions:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/