Search results

Documents needed to implement QMS 9001

An auditor does not implement documents. An auditor does audits. While implementing a quality management system according to ISO 9001:2015 the mandatory documents and records can be seen in this article – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
 

You can find more information about documents, and records below:

• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
   

Risk Assessment in an Auto Repair Workplace

As ISO 45001 does not require one risk assessment method, there are many to choose from. Some people who are used to using the Failure Modes & Effects Analysis (FMEA) in design will use a similar method where they assess the severity, occurrence and detection of a hazard using a scale for each to assess the risk. If you are not familiar with the FMEA, or your hazards are not overly complicated, this method can be very complex.

As risk is defined as the combination of severity and occurrence. I like to use a grid for this; either a 2X2 or a 3X3. On the up and down axis of the grid you plot severity from low to high, and on the horizontal axis you plot occurrence from low to high. On the grid when a hazard is high occurrence and high severity it is in a red area, low severity and low occurrence is in a green area. This makes it easy to look and see which are the worst hazards that should be better controlled.

You can read a bit more on hazard assessment in the article: How to identify and classify OH&S hazards, https://advisera.com/45001academy/blog/2015/05/14/how-to-identify-and-classify-ohs-hazards/

Audit findings

Without specific information about the findings’ statements and the context of your organization, it is not possible to provide a more proper answer.

Even though your ISMS scope is focused on procurement system, you will still need to have employee records related to e.g. training (these are mandatory ISMS records), and you will need to protect those records as well.

ISO 22301 question

1. Hi, my company purchased templates from you for 22301. As I look through some of the docs I'm seeing some discrepancy in how documents are named and referenced (eg, Business Continuity Management Policy v Business Continuity Policy).

Answer: Please note that Business Continuity Management Policy and Business Continuity Policy are similar terms, covering the practices to provide the capability to continue the business’ operations with a minimum agreed quality level in case of a disaster. The use of the term “Business Continuity Management Policy” is normally used when the policy is related to the ISO 22301 standard since this standard defines requirements for a business continuity management system.

2. I have a question on the "Risk Treatment Plan": according to 03.1, this document template should be in the 04 Toolkit Folder, but I do not see it in our package. Is this Plan just another title for the Methodology, or am I missing a document template? Thank you for your help!

03.1 Business Continuity Policy refers in Paragraph 3.3 to a Risk Treatment Plan, which I don’t see elsewhere in your list of documents. Is this the same as one of the documents in the 04 Risk Assessment and Treatment folder?

Answer: First of all, sorry for this confusion.

Please note that the risk treatment plan for ISO 22301 refers to a set of documents rather than a single document included in folder 07 Business Continuity Plan (i.e., the Business Continuity Plan and its annexes).

Its implementation is better explained in section 3.2 of template Business Continuity Strategy, located in folder 06 Business Continuity Strategy.

For further information, see:
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

Extended controls documentation

It is fine you use only the complementary document which covers the specifics of ISO 27017 and ISO 27018.

However, please be advised that these documents were made for companies that want to implement all 3 standards (ISO 27001, ISO 27017, and ISO 27018), and that ISO 27017 and ISO 27018 sections are not specifically marked in the text.

By the way, in case you do not need the Disposal and Destruction Policy, the Change Management Policy, and the Backup Policy as separate documents, you can skip those and use only the Security Procedures for the IT Department (the content of these policies is included in this template).

Business Impact Analysis Methodology

Please note that for some processes or services there are periods when they are more required, or need to provide more outputs, and these should be identified to help determine minimum business requirements.

For example, for a store, sales near commemorative dates (e.g., Christmas, Easter, Valentine’s Day) are considerably higher, and when planning minimum business continuity objectives you should consider them.

For further information, see:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

Mass pieces

To start off, the balance needs to be calibrated by a calibration laboratory periodically. To ensure that equipment is fit for purpose, namely the balance in this case; and to provide metrological traceability for a test to be performed; the test laboratory must perform intermediate checks to ensure that the calibration is still valid. This is known as verification which is usually performed on use or on a daily basis. The mass pieces used for verification must also be fit for purpose. This means you should have mass pieces that cover the range of use of the balance and have calibration certificates for the mass pieces. This should indicate that they are fit for purpose, meaning the accuracy and the measurement uncertainty is acceptable. Note that there are various classes of weights as per ASTM and OIML that are matched to the class of the balance. See OIML R 111-1 (E) Edition 2004 available at https://www.oiml.org/en/files/pdf_r/r111-1-e04.pdf.  The laboratory must ensure both the balance and mass peices are suitable to provide the resolution and accuracy required.

For more information on associated calibration intervals, refer to ILAC G24:2007 Guidelines for the determination of calibration intervals of measuring instruments (note currently under revision) available for download at https://ilac.org/?ddownload=818 

For more information, have a look at

The article: What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
The ISO 17025 toolkit document template: Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure/

Facilitating training of medical devices organization for their management

A person who performs education about ISO 13485:2016 must have some proof that he/she understands all necessary requirements which are specific to the medical device manufacturer. This proof can be a certificate for the ISO 13485:2016 Lead auditor or experience with work in medical device manufacturers. ISO 13485:2016 has some specifics which can be seen only in that standard, therefore understanding and knowledge of ISO 13485 are necessary.  
 

Appointing a representative

Here you can find more information about Supervisory Authorities:

• EU GDPR: What is it and how does it work? https://advisera.com/eugdpracademy/what-is-eugdpr/
• The obligations of controllers towards Data Protection Authorities according to GDPR https://advisera.com/eugdpracademy/blog/2017/12/11/the-obligations-of-controllers-towards-data-protection-authorities-according-to-gdpr/
• Useful resources for complying with EU GDPR https://advisera.com/eugdpracademy/knowledgebase/useful-links/

If you are interested in implementing EU GDPR compliance, you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Microsoft tools for compliance

We are not experts in MS Compliance tool, so what we can suggest you is to ask your IT department to demonstrate how this tool covers each mandatory clause of ISO 27001 (clause 4 to 10) and Controls from Annex A. From this assessment, you can identify if this tool can cover all your needs or if an additional solution is required. 

For example, how does MS Compliance cover the definition of the ISMS scope? Does MS Compliance handle information security competence and awareness? How MS Compliance handles controls A.7.1.1 Screening and A.7.1.2 Terms and conditions of employment?

From MS Compliance documentation made available by Microsoft, it seems that this tool covers a lot of clauses and controls from ISO 27001, but not all of them.

You can also sign up for a free trial in Advisera's ISO 27001 compliance software Conformio https://advisera.com/conformio/ and double-check how the Microsoft tool compares to it.