Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Is it mandatory to use a consultant for QMS and should we request a certificate from the auditor?

    ISO 9001:2015 does not specifically require organizations to use a consultant for QMS implementation or to acquire an auditor's certificate. ISO 9001 emphasizes that organizations are responsible for developing, implementing, and maintaining their QMS

    The decision to engage a consultant or acquire auditor certification is typically at the discretion of the organization. Many organizations choose to work with consultants for various reasons, including expertise, guidance, and resources. However, this is a business decision and not a mandatory requirement outlined in the ISO 9001 standard.

    It's important to note that while the ISO 9001 standard doesn't mandate these activities, organizations should ensure that their chosen consultants or auditors are qualified and competent to provide the necessary expertise and meet the standard's requirements. Additionally, some industries or sectors may have specific regulations or customer requirements that influence the use of consultants or auditors, but this is not a requirement dictated by the ISO 9001 standard itself.

    You can find more information below:

  • How to write a separate strategic risk assessment?

    To define strategic risk assessment separately from operational risk assessment and assign appropriate rankings, first, identify strategic risks that could affect your long-term objectives, such as market changes or regulatory shifts. Develop a unique set of criteria for strategic risks, considering their impact and likelihood
    For these strategic risks I use clauses 4.1, 4.2 and 6.1.1. Please check this free webinar-on-demand - How to Implement Risk Management in ISO 9001:2015 slide 11. Although it is about ISO 9001, I think it can help.
     
    For operational risks, focus on environmental aspects and impacts and consider abnormal and emergency situations. Then, assign rankings based on the specific criteria for each category. Strategic risks may receive rankings based on their potential impact on long-term goals, while operational risks are ranked according to their daily impact and likelihood.
     
    You can find more information in:

  • Writing standard operating procedure

    As the purpose of a standard operating procedure is to minimise deviations by standardising the process,  documenting a process as an SOP starts with knowing the risks and critical steps that should be controlled and carefully communicated. The depth of detail in the SOP will depend on the context of your laboratory, for example, the number of people performing the task and their competency.

    Standard operating procedures for any laboratory are typically divided into two categories – Management (nontechnical) and technical. An example of a management procedure would be for handling non-conformances and corrective actions. Technical SOPS could either document, for example, the approach to method validation or document the test methods itself.  As the purpose is to minimise deviations by standardising the process,  documenting a process as an SOP starts with knowing the risks and critical steps that should be controlled and carefully communicated. The depth of detail in the SOP will depend on the context of your laboratory, for example, the number of people performing the task and their competency. Either way, it is recommended that you have a standard format. For more information, have a look at the Advisera Toolkit https://advisera.com/toolkits/?standard=iso-17025 and a previous question. https://community.advisera.com/topic/document-and-record-control-procedure-means-what-are-the-procedure-will-include/

  • TISAX and ISO 27001

    We are not experts on TISAX, but what we know is that the TISAX evaluation criteria are based on VDA Information Security Assessment (ISA), which in turn is based on ISO 27001 Annex A.

    ISO 27001 does not require separate offices or areas for IT personnel. However, if you have a legal or regulatory requirement to have separate offices for IT personnel, or during your risk management process you conclude that such offices are required, then you would need to implement separate offices.

  • Security Awareness Training Records

    ISO 27001 does not require attendance to awareness sessions to be recorded (in general, auditors check awareness levels by interviewing personnel), but it is recommended to have such records for a certification audit.

    Advisera's Security Awareness Training automatically creates records of attendance. To download the training report, log in as an admin to your training account and go to "Users." Click the "Training report" button on the top right of the screen, and the PDF report will be downloaded to your computer.

    Check our article that will show you how to perform training and awareness for ISO 27001 and ISO 22301.

  • Clarification Regarding Control Review Frequency in Policy Documents

    Controls can be reviewed at a different frequency than those defined for the review of documents related to them. You only need to ensure that control review results are considered in the next document review. Please also note that, depending upon the controls review results, an immediate review of documents may be necessary. 

    Check our article for further information on performing monitoring and measurement in ISO 27001.

  • Risk levels and decision-makers

    ISO 27001 does not prescribe who needs to determine the level of risk, but as a good practice, this definition is made by the risk owner, who needs to accept the residual risk defined after the selection of risk treatment (see ISO 27001 clause 6.1.3 f).

    His decision is based on the risk levels defined in the Risk Assessment and Risk Treatment Methodology Document (the risk assessment and treatment processes need to be documented as required by clauses 6.1.2 and 6.1.3).

    For further information, see:

  • Food Packaging Testing

    ISO 17025 is applicable for calibration and testing laboratories. If you seek ISO 17025 accreditation as a testing laboratory, the laboratory needs to meet all the mandatory requirements for the Standard. The processes and procedures that would be part of the scope relate to all general quality management and technical requirements.  
    I suggest you become familiar with ISO 17025 and perform a gap assessment (internal audit) of the requirements of ISO 17025 against what you already have in place for your Medical Device Manufacturer QMS.

    For more information on ISO 17025 and the processes and documents, to put in place start here https://advisera.com/iso-17025 and the available resources, including the Checklist of mandatory documents required by ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/checklist-of-mandatory-documents-required-by-iso-17025 Then have a look at what the toolkit can offer to assist with requirements of internal audits https://advisera.co/ISO17025Toolkit

  • ISO 27001 Internal Auditor Course Question

    Please note that the Audit Program and Audit Plan are different documents.

    An Audit program refers to all audits planned for a period of time, while an Audit plan specifies the details of one specific audit; Audit program is mandatory, while Audit plan is not.

    For further information, see our complete guide for internal audit.

Page 10-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +