Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Auditing against ISO 9001:2015


    Answer:

    Auditing will be done in the same way as for the previous version. The fact is that requirements for documentation are decreased but, compliance with the requirements will be audited during interviews with employees and management of the company. Although majority of mandatory documented procedures form previous version are no longer required, the requirements regarding the records remain mostly as they were before and the records should be evidence that the activities are performed according to the standard.

    For more information, see:
    - Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/

  • Difference between 2008 and 2015 revisions of ISO 9001


    Answer:

    There are quite a lot differences between 2015 and 2008 revisions of ISO 9001. The biggest differences are introduction of context of the organization and risks-based thinking as new requirements of the standard. Also, new version of ISO 9001 adopted Annex SL high level structure which means that the standard now has 10 instead of 8 clauses.

    There are also a lot of requirements that are no longer a part of ISO 9001, such as Quality Manual, Management representative, 6 mandatory procedures, etc.

    For more information about the differences, see:
    - ISO 9001:2015 vs. ISO 9001:2008 matrix https://advisera.com/9001academy/free-downloads//
    - Infographic: ISO 9001:2015 vs. 2008 revision – What has changed? https://advisera.com/9001academy/knowledgebase/infographic-iso-90012015-vs-2008-revision-what-has-changed/
    - Free webinar – ISO 9001:2015 vs. ISO 9001:2008 – The main changes https://advisera.com/9001academy/webinar/iso-90012015-vs-iso-90012008-the-main-changes-free-webinar-on-demand/

  • Intellectual Property Rights


    Answer:
    The control A.18.1.2 of the Annex A of ISO 27001:2013 is related to the Intellectual Property Rights, and to comply with this control basically you need to have a license of use of all assets that your organization has acquired (mainly software, but also books, video, audios, etc.). So, simply you can develop a list like this:

    - Windows 7 = 10 licenses, serial number = xxxxxxxxxxx, computers where is installed….

    The external auditor could check if you have this license of use for all your assets.

    By the way, if you are interested to become ISO 27001 certified, this article can be interesting for you “Becoming ISO 27001 certified - How to prepare for certification audit” : https://advisera.com/27001academy/iso-27001-certification/

    And this article can also help you to know what to expect at a certif ication audit “Infographic: The brain of an ISO auditor - What to expect at a certification audit” : https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/

    Finally, these materials will help you to know more about the certification audit:
    - free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Assessing the residual risk


    Answer:
    If your question is about how assessing the residual risk, you simply need to consider that the security control is implemented and recalculate the risk. For example, if you use this formula for the calculation of risk:

    Risk = Likelihood x Impact

    After the implementation of the security control, probably the likelihood is reduced, and consequently the risk is reduced (this risk reduced after the implementation of the control is the residual risk).

    If the risk is below or above the acceptable level. If the risk is below, you have done well your work (the treatment is ok). If the risk is above, you need to consider another control, or maybe another treatment (for example asume the risk).

    This article can be interesting for you “Why is residual risk so important?” : https://advisera.com/27001academy/knowledgebase/why-is-residual -risk-so-important/

    And also this one “Risk appetite and its influence over ISO 27001 implementation” : https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/

    Finally, these materials will help you to know more about the residual risk:
    - free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Incorporating risk-based thinking into QMS procedures


    Answer:

    Risk-based thinking was already a part of ISO 9001 even before the latest version has been published. Basically, the need for documenting procedures arise from the risk of emerging nonconformities within the processes.

    When identifying risks and opportunities, the company needs to take actions to address them but that doesn't mean that all these actions must be documented or incorporated into procedures. Only if you detect the risk of occurring nonconformities within some of your processes and decide that additional work instructions or documented procedures will prevent them, then you should incorporate the action taken for this particular risk into your procedures.

    For more information, see: Risk-based thinking replacing preventive action in ISO 9001:2015 – Th e benefits https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/

  • Conducting data analysis according to ISO 9001


    Answer:

    Data analysis is carried out for the entire QMS. You need to collect information from various processes in order to conduct the analysis. The purpose of the analysis is to make conclusions regarding following topics:
    - Conformity of products and services - Use information from the record arising from Procedure for Nonconformities and Corrective Actions and Procedures for Design and Development.
    - Degree of customer satisfaction - Use data from records arising from Procedure for measuring customer satisfaction.
    - Performance and effectiveness of the QMS - Use information from the records arising from the Matrix of Key Performance Indicators.
    - Effectiveness of actions taken to address risks and opportunities - analyse plans for addressing risks and opportunities and determine to what extent they have been accomplished.
    - External providers - Use information from the records that result from the procedure for purchasing and evaluation of suppliers.

    As you c an see, the data needed for each part of data analysis will be collected from the different process, and according to this, the process needs to produce information needed for the analysis.

    During the management review, he top management will examine the data analysis report instead of going into too many details. The main puprose of the data analysis report is to provide processed information suitable for management review.

    For more information, see: Analysis of data obtained from Monitoring and Measurement https://advisera.com/9001academy/blog/2014/04/22/analysis-data-obtained-monitoring-measurement/

  • Design and development in educational institution


    Answer:

    Design and development in academic institutions usually relates to design and development of new courses, training and curricula. If the institution doesn't develop new curricula but only uses the ones prescribed by the state or some other institution, then this clause can be excluded.

    If the design process exists, the institution need to create documents that will describe information needed to demonstrate that design and development requirements have been met, design and development inputs, design and development controls, design and development outputs and changes in design and development.

    For more information, see: The ISO 9001 Design Process Explained https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/

  • Demonstrate evidence of understanding the context


    Answer:

    Determining context of the organization in terms of ISO 14001 includes considering environmental conditions being affected by or capable of affecting the organization. This means that you need to consider environmental conditions around the company and how thy can affect the company and how company operations can affect the environment. You do not have to create any document regarding this since the standard does not require it, but you can refer to some environmental study conducted by the local community or something similar regarding the external context. As a part of the internal context you can refer to your environmental aspects assessment.

    For more information, see: Determining the context of the organization in ISO 14001 https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/

  • How to identify assets


    Answer:
    Regarding the first question, basically you need to list all the assets in your company and group them in some categories like hardware (laptops, printers), software, etc.

    This article can help you to identify assets in your organization “How to handle Asset register (Asset inventory) according yo ISO 27001” : https://ad*********m/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    The risk assessment is done by assets, not by controls, so controls are selected after the risks have been identified. This article can be also interesting for you “The basic logic of ISO 27001: How does information security work?” : https://ad********* m/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    Regarding your second question, you are right, ISO 27001:2013 does not require an asset based method for the risk methodology, although it is our recommendation because is very easy to understand, and the consequences and likelihood are still required in the current version of the standard.

    Finally, these materials will help you to know more about how to perform the risk assessment & treatment in your organization:
    - free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://ad*********m/27001academy/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Violation of the ISO 27001 certification


    Answer: During the time your company is certified against ISO 27001, if you become non-compliant with the standard, then the certification body might revoke your certificate during the surveillance visit (depending on whether the nonconformity is major or minor.)

    You can get legal penalties only if you break some law/regulation, or if you violate the contractual obligations.

    See also these articles:
    - Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
    - Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
Page 980-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +