Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Questions regarding Management Representative
Since, the QMR (Quality Management Representative) is no longer a mandatory function in ISO 9001:2015, the QMS must be qualified for the roles and responsibilities assigned to him. In most cases, QMR is responsible for maintaining the system, conducting internal audits and reporting to the top management, therefore it must be familiar with requirements of the standard and auditing techniques although the standard does not require some formal education or certificate for QMS. For gaining these competences, please see our free online coures regarding ISO 9001:2015:
- ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/
2. QMR must attend training course purposely for QMR? Is it recommended?
All the QMR needs is to get familiar with requirements of the standard, this can be achieved with Internal Auditor Training or QMR train ing
3. QMR must have good skill in language fluency especially English?
QMR must speak the language used in the company where he works, he doesn't have to speak English if it is not offical language in the company.
4. QMR must read through and understand all the Quality Manuals, Std procedures and other working instructions?
Since, QMR is responsible for the QMS, he must be familiar with all QMS documents, but process procedures and work instructions are responsibility of process owners. For more information, see: What is the job of the quality management representative? https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/ -
ISO 27001 implementation
Answer: The best help you can expect from consultants is their experience they have on situations regarding ISO 27001 implementation, which will reflect in less time needed for the implementation, and less rework regarding the choice of controls alternatives.
These articles will provide you further explanation about consultants:
- 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/
- Do you really need a consultant for ISO 27001 / BS 25999 implementation? https://advisera.com/27001academy/blog/2011/12/06/do-you-really-need-a-consultant-for-iso-27001-bs-25999-implementation/
2) How to perform internal audits?
Answer: Internal audits are not so different from certification audits. You have to perform a compliance verification of the documentation, regarding compliance with the ISO 27001 standard and other relevant requirements defined by the organization, and verify evidences that the processes and controls required are implemented and delivering the expected results. From these information you will conclude for the compliance of the audited process and the identification of nonconformities to be treated.
These articles will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
3) How to know if we are building right system and not just a certificate compliance?
Answer: To build a system that will add value to an organization, you must ensure its alignment with the main organizational concerns about information security, as well as the concerns of other interested parties (e.g., customers, supplies, workforce, etc.). You can evidence this alignment trough the systems scope and objectives.
These articles will provide you further explanation about aligning ISMS and organization:
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
4) Time planning needed when we as the client support the consultant in ISMS implementation."
Answer: Talking about time planning it is a bit complicated, because every implementation is unique in terms of the scope and resources available. It is more convenient to plan considering the deliverables a consultant has to deliver to ensure a successful implementation, such as procedures, policies, controls and training.
These articles will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist advisera.com/27001academy/knowledgebase/iso-27001-implementation-check list/
- ISO 27001 project management: Implementing complex security controls using Work Breakdown Structure (WBS) https://advisera.com/27001academy/blog/2015/10/19/iso-27001-project-management-implementing-complex-security-controls-using-work-breakdown-structure-wbs/
- 3 phases of delivering an ISO 27001/ISO 22301 consulting job https://advisera.com/27001academy/blog/2015/09/28/3-phases-of-delivering-an-iso-27001iso-22301-consulting-job/
These materials will also help you regarding ISMS implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Impacts of EU GDPR
Answer: EU GDPR only will come to force on 25 May 2018, so there are no companies penalized for not being in compliance to it until this moment. Regarding penalties, depending on the situation, the penalties may vary from 2% up to 4% of total worldwide annual turnover of the preceding financial year.
2 -I want to know is what is the impact of EUGDPR on India based companies operating in EU?
Answer: All organizations that handle personal data from EU citizens, even those not established in the EU will need to be compliant with EU GPDR if they will want to provide goods and services in the EU or to EU citizens.
3 - How privacy sheild will work parallely with this?
Answer: The EU-U.S. Privacy Shield is more of a U.S. EU initiative to help companies outside the EU to be compliant with EU GDPR, so in many points, by attending the Privacy Shield an organization will be compliant with EU GDPR. But both, content a nd approval of the Privacy Shield are a point of discussion, so the suggested alternative is to get legal support to identify were these frameworks may differ to take proper measures.
This article will provide you further explanation about EU GPDR:
- What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/27001academy/blog/2016/10/03/what-is-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
These articles will provide you further explanation about privacy controls and EU GPDR:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Risks identification and treatment
Thanks! I think I got the point. It seems that it is required to be pragmatic in the assessment... -
Performance indicators in EMS
In simple words, environmental performance indicator is measurable representation of the status or condition of operations related to significant environmental aspects. For example, if your significant environmental aspect is CO2 emission, your environmental performance indicator can be amount of CO2 per unit of product.
For more information about environmental performance, see: How to define EMS key performance indicators (KPIs) according to ISO 14001 https://advisera.com/14001academy/blog/2016/05/30/how-to-define-ems-key-performance-indicators-kpis-according-to-iso-14001/ -
Risks and opportunities and Leadership requiremnets
As a transition to ISO 9001:2015, how to address Risk based thinking? Do we need to have single process relating to risks planning OR every process should have "Risks and Opportunities" addressed in it ?
How to implement Clause 5 "Leadership"?
Looking forward to hear from you.
Answer:
Risks and opportunities to be addressed are the ones related to entire context of the organization, not only the processes. It is better to have single process for all risks and opportunities, the easiest way to address this requirement of the standard is to arrange a meeting with all relevant people in the company and discuss possible risks and opportunities related to all elements of your business and than to plan action to address those risks and opportunities. For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
The management will d emonstrate leadership if all requirement from the clause 5 have been met. This means that the top management must, at least, approve the Quality Policy and conduct management reviews, along with other requirements such as providing resources, raising awareness, assigning responsibilities, etc. For more information about responsibilities to the top management, see: To what extent should top management be involved in your QMS? https://advisera.com/9001academy/blog/2016/11/22/to-what-extent-should-top-management-be-involved-in-your-qms/ -
ISO 9001:2015 requirements and clasues
I need clarification if the standard requires and which clause this is stated in for:
1. A documented policy
Requements for QUality policy are placed in clause 5.2. For more information about QUality Policy, see: How to Write a Good Quality Policy https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
2. the preparation of a documented quality manual
Quality Manual is no longer requred in ISO 9001:2015, for more information, see: The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
3. The preparation of documented procedures for all quality critical activites
There is no longer a requirement to document every procudure, the company itself can decide what processes need to be documented. FOr more information, see: Deciding Which Procedures to Document in QMS https://advisera.com/9001academy/blog/2013/11/26/deciding-procedures-document-qms/
4. methods for determing customer satisfaction is devised.
Requirements for measuring customer satisfaction are placed in clause 9.1.2 .
5. all material used to manufacture the product must be traceable to its original source
Requirements for traceability are located in clause 8.5.2
6. All product nonconformities to be recorded.
Requirements for nonconformities are placed in cluauses 8.7 and 10.2
7. A schedule or equivalent showing the current revision of documents
Requirements related to documented information are placed in 7.5
Thanks in advance for your help -
What % of companies have already transitioned to ISO 9001:2015?
probably about 25% since there is still two more years for the trasition -
Defining BCMS scope
Answer: The BCMS should be implemented in all departments that can affect your organization's capability to deliver your products and/or services. For example, in a beverage industry the logistics department plays a crucial role in delivering the products, so it should be considered in a BCMS implementation. The same applies to air traffic control activities for airports. So, you should consider your business products and/or services nature to identify on which departments the BCMS should be implemented.
This article is related to ISMS, but can provide some tips about defining a BCMS scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
These materials will also help you regarding BCMS scope definition:
- Book Becoming Resilient, The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Free online training ISO 22301: An overview of the BCM implementation process https://advisera.com/27001academy/webinars/ -
Threats identification
thanks, very helpful input. will consider your suggestions.