Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Documenting training and awareness
Answer:
Regarding competence of employees, the standard only requires you to retain records as an evidence of the competence. You don't even need to have documented procedure for training let alone documented modules for each position in departments. In order to meet requirements regarding the awareness, you do not need even records.
Actually, having competent employees enables you to decrease the volume of the documentation because they know exactly what they are doing and do not need documented procedures.
For more information about competence and awareness, see:
- How to ensure competence and awareness in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
- Using Competence, Training and Awareness to Replac e Documentation in your QMS https://advisera.com/9001academy/blog/2013/12/17/using-competence-training-awareness-replace-documentation-qms/ -
Interpretation of risks and opportunities
Answer:
The standard requirements are not too specific in order to enable companies to adapt the QMS to their own needs, but it doesn't mean that each requirement can be interpreted in different way. For example, regarding risks and opportunities, the organization needs to identify and address risks and opportunities emerging from the context of the organization related to quality of products and services, objectives and customer satisfaction. But, the standard allows organization to choose whether to document a procedure, use apply some risk assessment methodology and rec ords its risks and opportunities.
For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Demonstrating competence for ISO 9001:2015
Answers:
1) List of trainings which QA staff must undergo for successful transition
The QA staff doesn't have to undergo any training, they only need to get familiar with the standard. It can be done by attending some external training or conducting in-house training. Here you can find free ISO 9001:2015 Foundation online course https://advisera.com/training/iso-9001-foundations-course/ that can help your staff achieve the competence.
2) Can these trainings be self-study or must be certified training sessions?
There is no requirement defining the type of training, so you can choose any option that works best for you.
3) Once certified as internal auditor for ISO 9001: 2008, do the internal auditors still be trained for Internal auditor training ISO 9001: 2015.
Techniques of auditing haven't changed, o nly the requirements to be audited. Internal auditors should only get familiar with new requirements. If you like to get familiar with new requirements and refresh the knowledge on the auditing, I suggest you this free ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/ -
HIPAA Compliance
Answer: I'm sorry, but the knowledge about compliance applications with HIPAA is out of our expertise. We are focused on ISO 27001, and this specific situation is not required by this standard. I would recommend you to look for expert legal advice. -
Information and Cloud security policies
Answer: Information security policy is related to a top management definition of what it wants to achieve with information security in a broader sense, providing the framework for managing the ISMS, while the cloud security policy narrows the focus, considering the definition of what it wants the ISMS to achieve with information security in cloud environments. In terms of implementation, you can have the Cloud Security Policy as a section in the Information Security Policy or as a completely separated document.
This article will provide you further explanation about Information and Cloud security:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- What should you write in your Informati on Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/ -
Internal audit
Do you have an anonymised example for the annual internal audit program? Am looking to see how much information is needed.
In the video tutorials that came with your toolkit, you can see examples of how to fill out all the internal audit program.
Also when considering who performs the internal audits – do they have to be certified to do so?
ISO 27001 requires competences related to information security to be ensured based on education, training, or experience, so it is not mandatory for those who performs internal audit to be certified if you can provide other means to ensure competence. For example, the person has a previous experience of 5 years auditing ISO 9001 and has experience in ISO 27001 implementation projects, or in his educational background he attended a course in the faculty related to audit concepts.
This article will provide you further explanation about internal audits:
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-2 7001-internal-auditor/
These materials will also help you regarding internal audits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Risks and opportunities in ISO 14001:2015
Answer: Risks in ISO 14001 as well as opportunities need to be identified not only regarding environmental aspects but also regarding compliance obligations and context of the organization. You don't need to turn your significant environmental aspects into risk but rather to examine what can go wrong in operational controls that can lead to escalation of the environmental aspect and damaging the environment. The example you stated is a good direction for identifying risks. Also you need to determine risks related to legal requirements and possible actions to avoid violation of those requirements. For more information, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/ -
Identifying Legal Requirements
Answer: The most common ways to gather this kind of information is by interviewing people involved in the process (e.g., operators, technical staff, process owners, contract managers, legal support, etc.), reading the available documentation, and by doing an Internet search. By applying these three methods you will have a good base for which legal, regulatory and other requirements you must comply.
2 - And what if my organization has several locations in different countries?"
Answer: The methods described are still applicable, but you have to ensure to collect this information also from people living in those countries, not only from someone who made an Internet search, because they generally have a closer and better view of what is relevant and needed in terms of requirements.
This article will provide you fu rther explanation about identifying requirements:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
These materials will also help you regarding identification of legal requirements:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Nonconformity in production process
Which clause in the standard effects this. Should I put it under 8.7 or 8.5?
Answer:
If the nonconformity occurred in production process, than it is related to the clause 8.5. Clause 8.7 defines how to control the nonconforming product, the nonconformity related to clause 8.7 would mean that you didn't control the nonconforming product properly.
For more information, see: How to use root cause analysis to support corrective actions in your QMS https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/ -
Where to start with ISO 9001 transition
Answer:
The best way to start with the transition is to raise awareness in the company regarding the transition and what it brings to the company. This can be done with presentation on the benefits of making the transition and how it will affect the everyday activities (decrease of documentation requirements, etc.). For more information, see: ISO 9001:2015 benefits of early transition https://info.advisera.com/9001academy/free-download/iso-90012015-benefits-of-early-transition
The next step would be to conduct gap analysis and determine to what extent you company is already compliant with the new version and once you learn that you can develop project plan for the transition and implement the changes in you system. For more information about transition steps, see: How to make the transition from ISO 9001:2008 revision to the 2015 revision https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/
I wouldn't start with particular document but with requirements sthat need to be implemented and once you know them you can start updating your documents and processes. Quality manual is no longer mandatory but if you find it useful, you can keep it, you just need to update it according to the new version. For more information, see: The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/