Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
FMEA and addressing opportunities in ISO 9001
Answer:
FMEA (Failure Mode Effect Analysis) has a limited applicability when it comes to addressing risks and opportunities within QMS. Although it is highly applicable for risk assessment within production and design and development process, it fails to cover entire scope of the risk related to the QMS, since it doesn't perform well with the risks emerging from external context of the organization.
As far as opportunities are concerned, FMEA doesn't cover them at all. The best way to identify opportunities is to arrange a brainstorming session with most relevant people in the company and discuss the opportunities in terms of improving processes, enhancing customer satisfaction and achieving QMS or the company's objectives. Another problem is how you will take actions to address the opportuni ties, it can be done through corrective actions or any other action or project, what is important is to plan the actions and evaluate its effectiveness later.
For more information, about risks and opportunities, see:
- How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
How are Risk assessment table and Risk treatment table different?
Answer: Risk assessment table and Risk treatment table should be used separately, because in the Risk Assessment table you should list all the risks, whereas in the Risk treatment table you should copy only those risks that are not acceptable. The point is, in the Risk treatment table you will add controls only for the unacceptable risks and this is why you shouldn't mix this table with the Risk assessment table.
When doing the risk assessment and treatment, you should develop the Risk assessment & treatment methodology first, because it will define all the rules for performing this task; also very important is that you view the video tutorials that came with your toolkit - they will explain all the details on how to fill out the documents and provide you with couple of real-life examp les.
These materials will also help you regarding risk assessment and treatment:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/
- Conformio (online ISO 27001 tool) https://advisera.com/conformio/ -
HACCP and hierarchy of documents
Answer:
Documentation hierarchy is the same for any kind of management systems including HACCP. Good tip on how to determine the document level on the pyramid is t see who writes it and who uses it. Documentation created and used by the top management and records used by workers are at the bottom.
Policy is on the top of the pyramid because it defines strategy, mission and vision and general direction o the organization and it is written by the top management.
The second level is the manual, it defines the system and represents a foundation for it. It sometimes includes procedure but usually reference to them.It is usually written by the management representative.
The third level are procedures, work instructions and SOPs. They define how activities and processes are carried out and by whom. They are usually written by mid management.
Ath the bottom of the pyramid are records and reports that are used to demonstrate that the process was carried out as planned , they are used by workers.
For more information about documentation structure, see: How to structure quality management system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/ -
Excluding engineering process from ISO 9001 scope
Answer:
Organizations are allowed to exclude any clause from ISO 9001:2015 if such clause is not applicable for the organization. In your case, you can exclude clause 8.3 Design and development and you should consider excluding clause 8.5.3 Property belonging to customers or external providers.
For every clause you exclude form your Quality Management System, you must provide justification, in your example, it can be a simple statement that you exclude clause 8.3 because you do not perform design and development as a process in your company.
For more information about exclusions in ISO 9001:2015, see: What clauses can be excluded in ISO 9001:2015? https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/ -
Acceptable level of risk
Answer ISO 27001 does not prescribe acceptable level of risk, which means that each company must set their own acceptable level of risk - this is usually done through the Risk assessment methodology.
See these articles for explanation:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
These materials will also help you regarding acceptable level of risk:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
PPAP and occurrence, severity and detection
Answer:
Production part approval process (PPAP) is used in the automotive supply chain for establishing confidence in component suppliers and their production processes. Actual measurements are taken of the parts produced and are used to complete the various test sheets of PPAP.
The result of PPAP approval process is a series of documents gathered in one specific location (a binder or electronically) called the "PPAP Package". The PPAP package is a series of documents which need a formal certification/sign-off by the supplier and approval/sign-off by the customer. The form that summarizes this package is called PSW (Part Submission Warrant). The signature in the supplier certification area of the PSW indicates that the supplier-responsible person (usually the Quality Engineer or Quality Manager) has reviewed this package and that the customer-responsible person (usually a Supplier Quality Engineer or Supplier Quality Manager) has not identified any issues that woul d prevent its approbation.
PPAP is the confirmation that the product meets the customer requirements for series production. The PPAP will be considered signed when a full PSW is approved by your customer and added to the PPAP folder.
PPAP does not require severity, occurrence and detection to be defined, those values are determined by applying FMEA risk assessment methodology and results of this assessment are inputs for the PPAP. For more information about FEMA, see: Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/ -
Process capability and Process Capability Index
Cp (Process Capability Index) estimates what the process is capable of producing if the process mean were to be centered between the specification limits. Assumes process output is approximately normally distributed.
Unfortunately, I cannot write you the formulas because of limitations in this writing tool, but you can find them online. -
Documenting the context and risks and opportunities
1-the organization context.
2-the risk,opportunities, how to arrange that related to the others processes for documentation of the ISO 9001:2015
Answer:
Both clauses 4.1 Determining context of the organization and clause 6.1 Addressing risks and opportunities do not require documents. It is completely up to organization to decide how it will document those requirements and even is it going to document them at all. However, since they are new requirements I suggest companies to develop documented procedures for those clauses.
When developing procedure for determining context of the organization it is important to define how will be involved in determining context of the organization, what elements of the context needs to be considered, which parts of the context will be documented and how often the context will be reviewed. For more information about the context of the organization, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/ also you can download a free preview of our Procedure for Determining Context of the Organization and Interested Parties https://advisera.com/9001academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/
In case of addressing risks and opportunities, if you decide to create a documented procedure, you will need to define again the responsibilities within this process and also methodology, criteria for acceptance and frequency of revision. For more information about the risks and opportunities, see How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ and you can also download free preview of our Procedure for Addressing Risks and Opportunities https://advisera.com/9001academy/documentation/procedure-for-addressing-risks-and-opportunities/
The way you address these clauses will not affect the other processes but rather the results of determining context and risks and opportunities will affect the processes. For example, the risk assessment may result in actions that include development of additional work instructions or making changes in the processes to avoid nonconformities. -
ISO 27001 records of implementation
1. Risk treatment plan (clauses 6.1.3 e and 6.2) to evidence what was planned for the control implementation (e.g., policies, procedures, trainings, etc.).
2. Records of training, skills, experience and qualifications (clause 7.2), to evidence that people performing the control are competent to do so
3. Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3), to provide information to be evaluated and trigger other related controls (e.g., incident response)
4. Monitoring and measurement results (clause 9.1), to evidence the control is actually working
5. Results of internal audits (clause 9.2), to evidence independent evaluation on of the implemented control
6. Results of the management review (clause 9.3), to evidence management follow-up of the risk treatment plan and the control results
7. Results of corrective actions (clau se 10.1), to evidence improvement
Answer: The risk treatment plan evidences only that you made a plan to implement controls. You will need all the other listed information to evidence the controls are actually in place, operating and being followed up properly, and that information will be spread in many areas of you organization (e.g., HR, operations, top management, etc.). You can think of the risk treatment plan as the source you will consult to where to find all the "records of implementation".
This article will provide you further explanation about what to consider as evidences of implementation:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
These materials will also help you regarding evidences of implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Datacenter procedures
Answer: We don't have specific procedures for data center assets management in our documentation, but according the processes you mentioned, I suggest you take a look at the following documentation:
- Inventory of Assets https://advisera.com/27001academy/documentation/inventory-of-assets/
- Change Management Policy https://advisera.com/27001academy/documentation/change-management-policy/
- Internal Audit Checklist https://advisera.com/27001academy/documentation/internal-audit-checklist/
Each document makes reference to which ISO 27001:2013 Annex A control they cover, so you can use this information to identify which items in the Internal Audit Checklist you need to use.
There are free demos of them, so you can verify if they can attend your needs.
These articles will provide you further explanation about ho w these documentation can help in asset management:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding how these documentation can help in asset management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/