Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Updating Quality Manual to match ISO 9001:2015
I didn't know if I should have our quality manual follow the same format as the new ISO:2015. i.e have the following clause headings.
0) Introduction
1) Scope
2) Normality references
3) Terms and definitions
4) Context of organization
5) Leadership
6) Planning
7) Support
8) Operation
9) Performance evaluation
10) Improvement
Is it advisable though to update to reflect new versions of the ISO?
Answer:
There is no requirement for Quality Manual to follow structure of the standard. The reason why companies decide to do so is because it helps them see how each of the clauses are met in their Quality Management System. Other than this, there are no reasons for adopting the clause headings of the standard in the manual.
Furthermore, the standard no longer requires organizations to have documented Quality Manual, so if you find it redundant for your QMS, you can even exclude it from your system. For more information, see: The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/ -
Evaluating risks
Answer:
In order to evaluate risks you need to define criteria. Criteria can be based on one or several features. Usually the criteria for evaluation of risk is a severity or consequence of the risk, if the risk has big severity or consequence, it is ranked higher on the list of risks or it can be labeled as significant risk in opposition to insignificant risks with small severity or consequence.
Another feature that can be taken as a criteria for risk evaluation is frequency of occurrence or probability. Some risk can have a big consequence but it rarely happens, so such risk can be considered as insignificant or low on the list of priorities. The risk with high probability and big consequence should be considered as significant, or unacceptable and such risk should be addressed.
There are additional criteria for evaluation of risk, such as detection, that can be used but the number and type of criteria to be used will depend on the needs of the company. Smaller companies will use simpler criteria that can be qualitative or quantitative and bigger and more complex companies will use more criteria and qualitative methodology.
For more information, see: Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/ -
Transition from BS 25999 to ISO 22301
Answer:
ISO 22301 was developed taking into consideration BS 25999, so there are very similarities between both standards. This article can help you to know more about these similarities, and also about the differences “ISO 22301 vs. BS 25999-2 - An Infographic” : https://advisera.com/27001academy/blog/2012/05/22/iso-22301-vs-bs-25999-2-an-infographic/
And another standard related to the business continuity, commonly used in USA, is the NFPA 1600. This article can be also interesting for you “NFPA 1600 vs. ISO 22301 - Similarities and differences” : https://advisera.com/27001academy/blog/2013/11/05/nfpa-1600-vs-iso-22301-similarities-and-differences/
Finally, this ebook about the ISO 22301 can be also interesting for you “Becoming resilient, the definitive guide to ISO 22301 implementation” : https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Transition from 2008 to 2015 of ISO 9001
Answer:
The most important thing about documentation in new version of the standard is that it refers to it as "documented information" and this term includes both documents and records. There are far less requirements for documentation in 2015 revision of the standard, there is no longer requirement for Quality Manual and six mandatory procedures as in 2008 revision.
In order to conduct the transition, you need to update your existing documents to adapt them to new requirements. Almost every requirement is altered to some extent and clause numbering is changed so every document will require at least minor updates. Also you will have to decide whether to keep the documents and procedures that are not mandatory any more, for example although the manual is no longer mandatory, lots of companies decide to keep it because they find it useful for their QMS.
For more information, see:
- How to make the transition f rom ISO 9001:2008 revision to the 2015 revision https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/
- New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ -
Methodology for an IT audit
Answer:
ISO 27001 is developed for the establishment of an Information Security Management System, which means that this standard is for the protection of the information, so, basically ISO 27001 gives you a framework to identify risks and treat them implementing security controls, many of them are directly related to IT (but not all). So, this standard is not specifically developed to perform an IT audit, but you can use their security controls, although in the Annex A of ISO 27001 you can find a brief description of 114 security controls, while in the ISO 27002 you can find the same security controls but with a guide about how to implement each control.
So, maybe you can use the Annex A of ISO 27001 to select a group of security controls that you want to audit (related to IT), and if you need more information about each control you can see ISO 27002.
This article can be interesting for you “The basic logic of ISO 27001: How does information security work?” : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
And this article about how to develop a checklist for an internal audit for ISO 27001 can be also interesting for you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Finally, these materials will help you to know more about the security controls of ISO 27001 and how to audit them:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- free online training ISO 27001 Internal Auditor https://advisera.com/training/iso-27001-internal-auditor-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Implementing ISO 14001
Answer:
First, it would be better to implement ISO 14001:2015 because in this way you will avoid the transition process within next two years.
The first step in implementation of ISO 14001 is to conduct GAP analysis to determine to what extent the organization already meets the requirements of the standard. The next step is to develop project plan with defined activities and documents to be created in order to achieve full compliance with the standard. Then you need to create documents and update your processes so they align with the standard.
After the implementation, you need to conduct internal audit and management review to ensure that your EMS (Environmental Management System) is compliant with the standard and finally you can hire certification body to conduct certification audit and issue your company the certificate.
For more information, see:
- ISO 14001 Implementation diagram https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
- 5 elements o f a successful ISO 14001 project https://advisera.com/14001academy/blog/2015/03/23/5-elements-of-a-successful-iso-14001-project/ -
Process owners
The process owners are defined usually in the prat of the procedure that describes purpose, scope and users. In our documentation, it is the section 1 of each procedure. -
OHSAS 18001 and transition to ISO 45001
Answer:
Purpose of both ISO 45001 and OHSAS 18001 is to help organization establish occupational health and safety management system. Currently, only OHSAS 18001 is published while ISO 45001 is in development, so at this point organizations can only implement OHSAS 18001.
Once ISO 45001 is published (and this is expected in September 2017) organization will be able to choose between those two standards and tailor their system according to one or both of them. If you decide to implement OHSAS 18001 and later to make transition to ISO 45001, you will have to update your system in order to make it ISO 45001 compliant.
In this way you will do most of the work during implementation of OHSAS 18001 and later you will have to update the system and this wouldn't take too much time but it is hard to say at this point since the ISO 45001 is not published yet and we are n ot certain how much will it differ from OHSAS 18001. Given the experience with transition of ISO 9001 and ISO 14001 the changes between OHSAS 18001 and ISO 45001 will be between 10 and 30% so the transition wouldn't require some big effort.
For more information, see: First glance at ISO/DIS 45001 – How different is it from OHSAS 18001?https://advisera.com/18001academy/blog/2016/01/20/first-glance-at-isodis-45001-how-different-is-it-from-ohsas-18001/ -
Aspects and risks
Answer:
First difference is in fact that environmental aspects must be documented while risks and opportunities don't. Regarding environmental aspects the company must define methodology for their evaluation and criteria for determining their significance. The process of identification and evaluation of environmental aspects is focused primarily on processes and their environmental impacts while risks can emerge from any part of context of the organization.
Addressing risks and opportunities according to ISO 14001 does not require documented procedure, established methodology or even a registry of records, it only requires to take actions to address them and to monitor effectiveness of these actions.
For more information, see: ISO 14001 risks and opportunities vs. environmental aspects https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/