Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Performance indicators in EMS
In simple words, environmental performance indicator is measurable representation of the status or condition of operations related to significant environmental aspects. For example, if your significant environmental aspect is CO2 emission, your environmental performance indicator can be amount of CO2 per unit of product.
For more information about environmental performance, see: How to define EMS key performance indicators (KPIs) according to ISO 14001 https://advisera.com/14001academy/blog/2016/05/30/how-to-define-ems-key-performance-indicators-kpis-according-to-iso-14001/ -
Risks and opportunities and Leadership requiremnets
As a transition to ISO 9001:2015, how to address Risk based thinking? Do we need to have single process relating to risks planning OR every process should have "Risks and Opportunities" addressed in it ?
How to implement Clause 5 "Leadership"?
Looking forward to hear from you.
Answer:
Risks and opportunities to be addressed are the ones related to entire context of the organization, not only the processes. It is better to have single process for all risks and opportunities, the easiest way to address this requirement of the standard is to arrange a meeting with all relevant people in the company and discuss possible risks and opportunities related to all elements of your business and than to plan action to address those risks and opportunities. For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
The management will d emonstrate leadership if all requirement from the clause 5 have been met. This means that the top management must, at least, approve the Quality Policy and conduct management reviews, along with other requirements such as providing resources, raising awareness, assigning responsibilities, etc. For more information about responsibilities to the top management, see: To what extent should top management be involved in your QMS? https://advisera.com/9001academy/blog/2016/11/22/to-what-extent-should-top-management-be-involved-in-your-qms/ -
ISO 9001:2015 requirements and clasues
I need clarification if the standard requires and which clause this is stated in for:
1. A documented policy
Requements for QUality policy are placed in clause 5.2. For more information about QUality Policy, see: How to Write a Good Quality Policy https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
2. the preparation of a documented quality manual
Quality Manual is no longer requred in ISO 9001:2015, for more information, see: The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
3. The preparation of documented procedures for all quality critical activites
There is no longer a requirement to document every procudure, the company itself can decide what processes need to be documented. FOr more information, see: Deciding Which Procedures to Document in QMS https://advisera.com/9001academy/blog/2013/11/26/deciding-procedures-document-qms/
4. methods for determing customer satisfaction is devised.
Requirements for measuring customer satisfaction are placed in clause 9.1.2 .
5. all material used to manufacture the product must be traceable to its original source
Requirements for traceability are located in clause 8.5.2
6. All product nonconformities to be recorded.
Requirements for nonconformities are placed in cluauses 8.7 and 10.2
7. A schedule or equivalent showing the current revision of documents
Requirements related to documented information are placed in 7.5
Thanks in advance for your help -
What % of companies have already transitioned to ISO 9001:2015?
probably about 25% since there is still two more years for the trasition -
Defining BCMS scope
Answer: The BCMS should be implemented in all departments that can affect your organization's capability to deliver your products and/or services. For example, in a beverage industry the logistics department plays a crucial role in delivering the products, so it should be considered in a BCMS implementation. The same applies to air traffic control activities for airports. So, you should consider your business products and/or services nature to identify on which departments the BCMS should be implemented.
This article is related to ISMS, but can provide some tips about defining a BCMS scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
These materials will also help you regarding BCMS scope definition:
- Book Becoming Resilient, The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Free online training ISO 22301: An overview of the BCM implementation process https://advisera.com/27001academy/webinars/ -
Threats identification
thanks, very helpful input. will consider your suggestions. -
ISO 27005 and ISACA RiskIT
Answer: Unfortunately we do not have this kind of material in our toolbox, but RiskIT framework material provided by ISACA, in Appendix 2 has a high-level comparison with other risk management standards and frameworks, including ISO 27005. To download this material you only have to have a site login, you can obtain one free of charge. What I can inform you without incur in Intellectual Property Rights violation is that ISO 27005 processes (Risk analysis, identification, estimation, and evaluation) are covered by RiskIT process RE2 (Analyse Risk), but since RiskIT is a more specific framework, it has a deeper level of detail than ISO 27005. -
Certification audit findings
I am confusing about that, I have seen many report samples on google but every one is different from the other. Should I submit the stage 1 report with the mention of all non-conformists and it's corrective actions or I should just submit a list of what I find whatever it was negative or positive.
Answer:
During both stages of certification audit, the auditor can find minor and major nonconformities and observations. If you found any nonconformity during the 1st stage audit, you should write them in your report, but you shouldn't write corrective actions because it is up to organization to decide what kind of corrective action will it take to address the nonconformity.
For more information, see: How to deal with nonconformities in an ISO 9001 certification audit https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/ -
Audit checklist
Answer: External audit phase 1 verifies if your documentation (e.g., policies and procedures) complies with ISO 27001:2013 mandatory requirements (e.g., is there an information security policy?), so you have to verify if you attend all "must" statements presented in the standard. The phase 2 looks for evidences that support the procedures are implemented and achieving the expected results. The main checklists you have are the Statement of Applicability, where all the controls considered relevant are listed, and the Risk Treatment Plan, which lists how they are implemented. From there you will find which documents and records you have to present to the auditor.
These articles will provide you further explanation about audit readiness:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- Becoming ISO 27001 certified – How to prepare for c ertification audit https://advisera.com/27001academy/iso-27001-certification/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
These materials will also help you regarding audit readiness:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27017 and ISO 27018 implementation
I mean company just develop and deploy our software in cloud and give access to our different customers. We are NOT a cloud hosting company like xxx or xxx.
Answer: As you said, you provide the SaaS service to your customers, it does not matter if you use a third party infrastructure to do that. If their contractual relationship is with you, any problem your customers have caused by the cloud service provider you selected, they will charge from you. So, I would recommend you to implement both ISO 27017 and ISO 27018, so you have means to ensure that cloud service provider you use to provide your SaaS service properly protects both its cloud infrastructure and your customers data.
This article will provide you further explanation about supplier managem ent:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
This article will provide you further explanation about ISO 27017 and ISO 27018:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
These materials will also help you regarding supplier management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/