Search results

Monitoring, Measurement (9.1)

Let us check ISO 9001:2015 clause 9.1.1.

9.1.1 a) – What needs to be measured? What do you measure in your organization?

• Quality objectives need to be measured for sure (please check clause 6.2.1 b) and e))
• Process indicators need to be measured for sure (please check clause 4.4.1 c) and g))
• Suppliers performance for sure (please check clause 8.4.1)
• Customer satisfaction for sure  (please check clause 9.1.2) 

When you write “Do we need to monitor and measure all items relate to my customer (students)?” my answer is yes and no. Customers are not all alike. Some customers are more critical than others, are more aligned with the competitive advantages of your organization and your strategic orientation. So, you should focus your measurement on those customers and on the needs and requirements that they value the most. For example, one can imagine that what is relevant for an Emirates client is not necessarily the same as for a Ryanair’s client.

PT/ILC

You asked

Do you know any PT house which work for *** as i am not able to find any.

The requirement of PT or ILC for accreditation is to ensure the validity of results, by monitoring the performance of your laboratory’s results through comparison to that of other laboratories. Participation in Proficiency testing (PT) is one of the ways to demonstrate technical competence. This is a common challenge for a number of laboratories, where PT is not suitable, not practical or does not exist. Have a look at my response to a similar Q&A at https://community.advisera.com/topic/documentation-and-pt-program/

I suggest you obtain the proficiency testing and other relevant policy and requirement documents from your selected accreditation body, and familiarise yourself with the ILAC document ILAC P9:06/2014 ILAC Policy for Participation in Proficiency Testing Activities which sets out the policy the accreditation bodies must use in setting their own Guidelines and polices. This doument is available from https://ilac.org/publications-and-resources/ilac-policy-series/

You also asked

Also can we consider our previous testing which are done between *** and ***lab?

This may be possible, if your method and conditions have not changes, if the interlaboratory comparison is fit for purpose (e.g. correct tests, samples) and meets the requirement of ISO 17025 and the accreditation body.

The following ISO 17025 Academy document templates, available for purchase, may be of interest:

• Proficiency Testing Record at https://advisera.com/17025academy/documentation/proficiency-testing-record/
• Quality Assurance Procedure at https://advisera.com/17025academy/documentation/quality-assurance-procedure/

You can also download the free demo: ISO 17025 Documentation Toolkit at  https://advisera.com/17025academy/iso-17025-documentation-toolkit/

Clinical Evaluation Plan

We at Advisera recommend the Clinical evaluation plan as it is in our Documentation toolkit. The Clinical evaluation plan template is designed in accordance with the requirements stated in the MDR, Article 61 and Annex 14, and MEDDEV 2.7.1, rev 4. 

Consider the fact that both the Clinical evaluation plan and the Clinical valuation report should be documents that can be read independently, so all relevant information should be there - a complete description of the product, all its characteristics, indications, contraindications, risks, etc. - for the auditor to understand completely what kind of product it is without looking at other documents from the Technical Documentation. 

According to the MDR, documents from the domain of clinical evaluation are checked by another auditor, and not by the one who conducts the audit directly with a manufacturer.

Questions for GDPR

"I'm wondering if you could help me out with a couple of questions related to GDPR and controllers?

Our company has clients who have personal data that our system collects from their employees and visitors to their premises. The clients have access to the data that our system collects. We (the company) determine the why and how data is collected, however the clients can see the data and even create reports from the personal data. Is this considered a controller to controller relationship, or would it be a controller to processor relationship? (i.e. is the client a controller because they are collecting personal data from employees and visitors?)

I assume that your system provides a service to your clients and while providing the service processes personal data of employees and visitors (i.e., an access control software installed on premises). If this is the case, you are the data processor because you are providing the means for the data controller (your client) to process personal data of the employees and visitors for its own purposes (in our example, of access control software to guarantee safety).
In fact, Article 28 GDPR states that the data processor is who processes personal data on behalf of the data controller. 

A second question we have is related to standard contractual clauses. Personal data that our clients collect is transferred to our servers located in Canada. Are SCCs required for the transfer of personal data from the EU/EEA to us for processing?"

If your organization falls in the scope of The Canadian Personal Information Protection and Electronic Documents Act ("the Canadian Act") (and further emendments) you can benefit of the adequacy decision of the European Commission (https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002) and you can proceed with data transfer according the Article 45 GDPR without implementing the Standard Contractual Clauses. 
Here you can find the list of countries with adequacy decision: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en 

Here you can find more information about the difference between controller and processor and about the data transfer:
EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

If you need to understand how to implement EU GDPR compliance, you may consider enrolling in our EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Qms in oil exploration and production

Some examples could be:

" XYZ Company located in ABC performing the management of subsidiaries involved in natural gas, gas condensate and oil production, transportation, processing and storage."

" XYZ Company located in ABC performing the construction of new facilities for the gas supply system; expansion, renovation,  maintenance and repairs of acilities;  design  field development projects; ; prospecting, geological exploration, and development of gas, gas condensate and oil fields; supply and sales of natural gas; power generation; sales of natural gas."

For more information about the scope you can see the following materials:

- What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- Enroll for free in the course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Nonconformance Finding (ISO9001 Audit)

First, ISO 9001:2015 promotes the process approach. So, I will use the auditor’s shoes focusing my attention only on processes and clauses.

There are no mandatory requirements for procedures (please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ ). So, the non-existence of procedures is not in itself a reason to issue a non-compliance). The auditor may expect that, but it is not in the standard, period.

Compliance with ISO 9001 will be assessed by translating ISO 9001 clauses 4.4.1, 8.2, and 8.4, for example, into a set of requirements. For example, which processes cross the sales and purchasing departments? Are those processes effective? What indicators are used to assess effectiveness? Are they measured, are they evaluated, are decisions made? For example, about clause 8.2 I as an auditor would start with orders received from clients and would ask for evidence of what ISO 9001 requires, same for clause 8.4 for deliveries from suppliers. For example, about clause 8.4.1 the audit can ask for:

• Which controls are applied?
• Which criteria are applied?
• Which records from suppliers qualification, selection, and performance monitorization

Revisione

I’m assuming that by the inspector you mean certification auditor.

The following documents are not mandatory for ISO 27001 and templates for them are not included in the toolkit to avoid the unnecessary administrative effort to manage documents. You should ask for clarification from the auditor about the need for these documents:
- Organization chart
- Integrated System Manual (or equivalent)
- Context analysis
- Continuity Plan

The following are the documents required by ISO 27001, and templates for them can be found in the toolkit as follows:
- Information Security Policy, located in folder 4 General Policies
- Applicability statement, located in folder 6 Applicability of Controls (Statement of Applicability)
- Risk analysis, located in folder 5 Risk Assessment and Risk Treatment (Risk Assessment Table)
- Management Review, located in folder 11 Management Review (Management Review Minutes) 
- Internal Audit Report, located in folder 10 Internal audit

Please note that although the documents are nearly 90% complete, they still need to be customized by the customer for use in the organization (e.g., Information Security Policy), or the activities related to them need to be performed so results can be recorded (e.g., for Management Review, and Audit Report). 

These are the documents required by ISO 27001 only if specific controls are deemed applicable in the SoA, and they can be found in the toolkit as follows:
- Asset List, located in folder 8 Annex A Security Controls >> A.8 Asset Management
- Disaster Recovery, located in folder 8 Annex A Security Controls >> A.17 Business Continuity

These articles will provide you a further explanation about ISO 27001 mandatory documents:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/

Statement of Applicability

If you understand that multiple controls are needed to decrease risk to an acceptable level, then you can add multiple controls next to each risk in the Risk Treatment Table.

Regarding the Statement of Applicability, please note that all controls related to risks need to be documented in the Risk Treatment Table, not only those you consider the most important. 

These articles will provide you a further explanation about risk assessment and treatment:

- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

By the way, included in your toolkit you have access to video tutorials that can help you fill in the Risk Treatment Table. This tutorial will show you how additional controls are added.