Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Determining scope of QMS
Answer:
When determining what parts of your company should be a part of your quality management system, you need to look first into the reasons for implementing the standard. Is is the requirement of the customer, is it a condition for applying to tenders or is it a requirement of the company itself? The answer to this question will shape the scope of your QMS.
If it is a requirement of the customer and it only refers to a product produced on only of of your production lines, you might decide to include in the scope only that production line and leave others from the scope, the same can be applied in case of tenders as well. If it is a requirement of the company itself, it is most common to include the entire company in the scope.
Regardless of the reason for implementing ISO 9001, you might choose to implement it in only several processes in the company, on one ore more location where your company has branches or to cover one or more production lines and yet not to cover entire organization.
Reasons for limiting the scope to only a part of the company can be to decrease the price of implementation and certification of the system or to cut the time of implementation.
For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/ -
ITSCM Plan
2. Who is responsible to raise a Request for Change (RfC) if changes to the plan are needed?
Answer:
1. Activation of the plan – that could be improvement manager or someone who detected improvement opportunity. If you have central place where all improvement initiatives (or, request) are communicated, than improvement manager would be one to activate the plan. Deactivation – that should be done “centralized” so improvement manager would be responsible for deactivation.
2. Thant could be anyone involved in the improvement initiative (either someone who started initiative, working on it or improvement manager as central point for coordination of all improvement initiatives)
Read the article "Service Improvement Plan – For the sake of improvements" https://advisera.com/20000academy/knowledgebase/service-improvement-plan-sake-improvements/ to learn more about the Service Improvement Plan. -
Effectiveness of security controls
For an example: Failure of a CNC machine is the identified risk. But the CNC doesn't failed yet. But there is a chance
In this case , we identified some mitigation plan like
a) backup another CNC machine
b) Immediate call for technician to service
c) Preventive maintenance shall perform for the CNC machine at scheduled intervals.
So in this case, the risk is not happened yet , So how we can measure the effectiveness of the risk control
Answer:
If I have understood well your question, you want to monitor the effectiveness of security controls, and for this basically you can establish metrics for each control. For example, if you have the control A.12.3.1 Information backup for a particular risk, you can define this metric:
- Effectiveness of bac kup control = Backup fails / Total backup
In your case, the metric could be:
- Effectiveness of the CNC machine backup = Preventive maintenance performed / Preventive maintenance scheduled (in a year, or in a month, etc.)
For each metric, you can also define some parameters like frequency for monitor the effectiveness (for example annually), “objective value” (in your case for example 100%), etc.
This article can be also interesting for you “How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
And this free webinar can be also interesting for you “ISO 27001 and ISO 27004: How to measure the effectiveness of information security?” : https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/
Finally, these materials will help you to know more about how to review the effectiveness of the security controls:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Auditing against ISO 9001:2015
Answer:
Auditing will be done in the same way as for the previous version. The fact is that requirements for documentation are decreased but, compliance with the requirements will be audited during interviews with employees and management of the company. Although majority of mandatory documented procedures form previous version are no longer required, the requirements regarding the records remain mostly as they were before and the records should be evidence that the activities are performed according to the standard.
For more information, see:
- Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/ -
Difference between 2008 and 2015 revisions of ISO 9001
Answer:
There are quite a lot differences between 2015 and 2008 revisions of ISO 9001. The biggest differences are introduction of context of the organization and risks-based thinking as new requirements of the standard. Also, new version of ISO 9001 adopted Annex SL high level structure which means that the standard now has 10 instead of 8 clauses.
There are also a lot of requirements that are no longer a part of ISO 9001, such as Quality Manual, Management representative, 6 mandatory procedures, etc.
For more information about the differences, see:
- ISO 9001:2015 vs. ISO 9001:2008 matrix https://advisera.com/9001academy/free-downloads//
- Infographic: ISO 9001:2015 vs. 2008 revision – What has changed? https://advisera.com/9001academy/knowledgebase/infographic-iso-90012015-vs-2008-revision-what-has-changed/
- Free webinar – ISO 9001:2015 vs. ISO 9001:2008 – The main changes https://advisera.com/9001academy/webinar/iso-90012015-vs-iso-90012008-the-main-changes-free-webinar-on-demand/ -
Intellectual Property Rights
Answer:
The control A.18.1.2 of the Annex A of ISO 27001:2013 is related to the Intellectual Property Rights, and to comply with this control basically you need to have a license of use of all assets that your organization has acquired (mainly software, but also books, video, audios, etc.). So, simply you can develop a list like this:
- Windows 7 = 10 licenses, serial number = xxxxxxxxxxx, computers where is installed….
The external auditor could check if you have this license of use for all your assets.
By the way, if you are interested to become ISO 27001 certified, this article can be interesting for you “Becoming ISO 27001 certified - How to prepare for certification audit” : https://advisera.com/27001academy/iso-27001-certification/
And this article can also help you to know what to expect at a certif ication audit “Infographic: The brain of an ISO auditor - What to expect at a certification audit” : https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
Finally, these materials will help you to know more about the certification audit:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Assessing the residual risk
Answer:
If your question is about how assessing the residual risk, you simply need to consider that the security control is implemented and recalculate the risk. For example, if you use this formula for the calculation of risk:
Risk = Likelihood x Impact
After the implementation of the security control, probably the likelihood is reduced, and consequently the risk is reduced (this risk reduced after the implementation of the control is the residual risk).
If the risk is below or above the acceptable level. If the risk is below, you have done well your work (the treatment is ok). If the risk is above, you need to consider another control, or maybe another treatment (for example asume the risk).
This article can be interesting for you “Why is residual risk so important?” : https://advisera.com/27001academy/knowledgebase/why-is-residual -risk-so-important/
And also this one “Risk appetite and its influence over ISO 27001 implementation” : https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
Finally, these materials will help you to know more about the residual risk:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Incorporating risk-based thinking into QMS procedures
Answer:
Risk-based thinking was already a part of ISO 9001 even before the latest version has been published. Basically, the need for documenting procedures arise from the risk of emerging nonconformities within the processes.
When identifying risks and opportunities, the company needs to take actions to address them but that doesn't mean that all these actions must be documented or incorporated into procedures. Only if you detect the risk of occurring nonconformities within some of your processes and decide that additional work instructions or documented procedures will prevent them, then you should incorporate the action taken for this particular risk into your procedures.
For more information, see: Risk-based thinking replacing preventive action in ISO 9001:2015 – Th e benefits https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/ -
Conducting data analysis according to ISO 9001
Answer:
Data analysis is carried out for the entire QMS. You need to collect information from various processes in order to conduct the analysis. The purpose of the analysis is to make conclusions regarding following topics:
- Conformity of products and services - Use information from the record arising from Procedure for Nonconformities and Corrective Actions and Procedures for Design and Development.
- Degree of customer satisfaction - Use data from records arising from Procedure for measuring customer satisfaction.
- Performance and effectiveness of the QMS - Use information from the records arising from the Matrix of Key Performance Indicators.
- Effectiveness of actions taken to address risks and opportunities - analyse plans for addressing risks and opportunities and determine to what extent they have been accomplished.
- External providers - Use information from the records that result from the procedure for purchasing and evaluation of suppliers.
As you c an see, the data needed for each part of data analysis will be collected from the different process, and according to this, the process needs to produce information needed for the analysis.
During the management review, he top management will examine the data analysis report instead of going into too many details. The main puprose of the data analysis report is to provide processed information suitable for management review.
For more information, see: Analysis of data obtained from Monitoring and Measurement https://advisera.com/9001academy/blog/2014/04/22/analysis-data-obtained-monitoring-measurement/ -
Design and development in educational institution
Answer:
Design and development in academic institutions usually relates to design and development of new courses, training and curricula. If the institution doesn't develop new curricula but only uses the ones prescribed by the state or some other institution, then this clause can be excluded.
If the design process exists, the institution need to create documents that will describe information needed to demonstrate that design and development requirements have been met, design and development inputs, design and development controls, design and development outputs and changes in design and development.
For more information, see: The ISO 9001 Design Process Explained https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/