Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
How to define scope of ISO 27001 for software development company
Answer: ISO 27001 does not distinguish between different types of companies, so the process of defining the scope for a software company is the same as for other companies. Generally speaking, for a company of up to 100 employees the best option is to include the whole company in the scope.
These articles will help you:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -
Clarification of terms
Answer:
The purpose of an organization is the fundamental reason why the organization exists. The purpose of an organization is not the answer to the question “What do you do?” which typically focuses on products, services and customers, but rather the answer to the question “Why is the work you do important?”
Strategic planning is an organization's process of defining its strategy, or direction, and making decisions on allocating its resources to pursue this strategy. It may also extend to control mechanisms for guiding the implementation of the strategy. strategic direction is a c ourse of action that leads to the achievement of the goals of an organization's strategy.
Intended results represent objectives of your organization, both quality and business objectives. -
Implementing ISO 9001 in finance department
You can use this Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/ and apply it to your department. First, it is better to check with your Quality Manager if the Finance Department is included in the Quality Management System. In many companies it is not included explicitly, in some companies participants for example while negotiating conditions with customers (clause 8.2).
-
What if an organization is not interested in surveillance audits?
Answer: Surveillance audit is performed by certification body, and it is mandatory. Therefore, if you have e.g. ISO 27001 certificate, you cannot avoid this surveillance audit. The only way to stop these audits is to cancel your certification.
See also: Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
Evaluation of environmental aspects
Answer:
The first step would be to define criteria for evaluation of environmental aspects and define criteria for significance of the environmental aspects. All this is done during definition of methodology for evaluation of environmental aspects.
Next step would be to conduct identification of the environmental aspects by analysing each process and activity within scope of EMS. Once all environmental aspects are identified, they need to be related to environmental aspects and then the evaluation should be conducted. For each significant environmental aspect you need to establish operational control to decease the impact. For more information, see: 4 steps in identification and evaluation of environmental aspects https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/ -
Becoming ISO 9001:2015 certified
Answer:
In order to get you company certified against ISO 9001:2015 you need first to implement the standard and then to hire a certification body to conduct the certification audit.
The implementation consists of two main parts, first you need to develop documentation required by the standard itself and the documents that organization needs to maintain the QMS (Quality Management System) effectively. For more information, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
The second part of the implementation is to update your processes and develop new ones to meet requirements of the standard regarding different aspects of your business, from purchasing and sales to production and delivery of products and services.
Once the standard is implemented, the certification body will conduct certification audit and, if the organization is compliant with the standard, issue the organization the cert ificate.
For more information, see: Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/ -
Can we handle ISO 27001 implementation remotely?
Thank you -
Risks in ISO 9001
I have also some question during consulting process but I have to study more on the spirit of ISO 9001-2015. But now I would like to give you question relating to item Risk-based thinking as follows:
1. Does organization shall address the risk for the realization or for all process or only for critical process ?
2. Risk-based thinking for all processes of system is described by establishing a documented information under support procedure ?
3. Does Risk-based thinking is a new thinking to be set in mind for personnel having work affecting quality and then records from problem solving, taking decision, eliminating risk,...can demonstrate that. So that no need to have procedure to analyse risk as well as for risk evaluation ?
Once again thanks a lot your support.
Answers:
1. The organization needs to consider entire context of the organization not only the processes, but it doesn't mean that you need to identify risks for each process. You can conduct a global assessment on the organizational leve l and that can be enough, then again you can go into details, it depends on needs of organization, the standard allows a lot of freedom regarding this requirement.
2. Documented procedures exist to prevent risk of noncomplying with the activities in the processes and in that sense they are used for avoiding risk. Also some activities like inspection or monitoring certain parameters within the process serve as precaution. But not all processes carry such risk within them so there doesn't have to be a documented procedure for each process.
3. Addressing risks and opportunities belongs to planning phase of the QMS so it is a requirement related mainly to top and mid management not employees. The management of the company should think about risks and opportunities related to the QMS and take actions to address them.
For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Design Coordination Manager
Answer:
Yes, one of the Design Coordination Manager tasks is to ensure that overall service strategies are reflected in the service design practice and, additionally, that design of the service solution meets business outcomes and customer requirements.
Read the article "Design coordination process – creating a solid foundation" https://advisera.com/20000academy/blog/2013/07/31/design-coordination-process-creating-solid-foundation/ to learn more. -
How to integrate ISO 27001: 2013 with HIPAA security rules
Thank you for explaining. My understanding is HIPAA security rules can be easily accommodated by implementing ISO 27001: 2013 in letter and sprite. Because HIPAA security rules specify three requirements i.e: Security should be managed Administratively, technically and physically and this is pretty much the same concept of ISO 27001:2013 standard.