Search results

Nonconformance Finding (ISO9001 Audit)

First, ISO 9001:2015 promotes the process approach. So, I will use the auditor’s shoes focusing my attention only on processes and clauses.

There are no mandatory requirements for procedures (please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ ). So, the non-existence of procedures is not in itself a reason to issue a non-compliance). The auditor may expect that, but it is not in the standard, period.

Compliance with ISO 9001 will be assessed by translating ISO 9001 clauses 4.4.1, 8.2, and 8.4, for example, into a set of requirements. For example, which processes cross the sales and purchasing departments? Are those processes effective? What indicators are used to assess effectiveness? Are they measured, are they evaluated, are decisions made? For example, about clause 8.2 I as an auditor would start with orders received from clients and would ask for evidence of what ISO 9001 requires, same for clause 8.4 for deliveries from suppliers. For example, about clause 8.4.1 the audit can ask for:

• Which controls are applied?
• Which criteria are applied?
• Which records from suppliers qualification, selection, and performance monitorization

Revisione

I’m assuming that by the inspector you mean certification auditor.

The following documents are not mandatory for ISO 27001 and templates for them are not included in the toolkit to avoid the unnecessary administrative effort to manage documents. You should ask for clarification from the auditor about the need for these documents:
- Organization chart
- Integrated System Manual (or equivalent)
- Context analysis
- Continuity Plan

The following are the documents required by ISO 27001, and templates for them can be found in the toolkit as follows:
- Information Security Policy, located in folder 4 General Policies
- Applicability statement, located in folder 6 Applicability of Controls (Statement of Applicability)
- Risk analysis, located in folder 5 Risk Assessment and Risk Treatment (Risk Assessment Table)
- Management Review, located in folder 11 Management Review (Management Review Minutes) 
- Internal Audit Report, located in folder 10 Internal audit

Please note that although the documents are nearly 90% complete, they still need to be customized by the customer for use in the organization (e.g., Information Security Policy), or the activities related to them need to be performed so results can be recorded (e.g., for Management Review, and Audit Report). 

These are the documents required by ISO 27001 only if specific controls are deemed applicable in the SoA, and they can be found in the toolkit as follows:
- Asset List, located in folder 8 Annex A Security Controls >> A.8 Asset Management
- Disaster Recovery, located in folder 8 Annex A Security Controls >> A.17 Business Continuity

These articles will provide you a further explanation about ISO 27001 mandatory documents:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/

Statement of Applicability

If you understand that multiple controls are needed to decrease risk to an acceptable level, then you can add multiple controls next to each risk in the Risk Treatment Table.

Regarding the Statement of Applicability, please note that all controls related to risks need to be documented in the Risk Treatment Table, not only those you consider the most important. 

These articles will provide you a further explanation about risk assessment and treatment:

- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

By the way, included in your toolkit you have access to video tutorials that can help you fill in the Risk Treatment Table. This tutorial will show you how additional controls are added.

Non-conforming work

Nonconforming work is an event when an aspect of the laboratory’s activities or results of this work (outcome or actual test results) deviated from what was supposed to happen. It can happen when ever there is a deviation from the laboratory’s own procedures or agreements with a customer. For example, equipment performance was not verified (as required in a procedure) , or incorrect sample storage meant a sample could not be tested.  Another example would be if environmental conditions are found to be out of specified limits and the sample analysis was delayed. This means that even if the sample is stable and the results are not affected, this is still a nonconforming event (work) because the existing control of a risk (temperature) failed and an objective of turnaround time, for example, or customer satisfaction is affected.

For further information on dealing with nonconformances, see the Article Corrective actions principles and root cause analysis in ISO 17025 at https://advisera.com/17025academy/blog/2020/11/04/corrective-actions-principles-and-root-cause-analysis-in-iso-17025/

and the Toolkit ISO 17025 templates: 

• Complaint, Nonconformity and Corrective Action Procedure at https://advisera.com/17025academy/documentation/complaint-nonconformity-and-corrective-action-procedure
• Corrective Action Report (CAR) at https://advisera.com/17025academy/documentation/corrective-action-report-car

Control procedure

Writing a new procedure covering the specifics for information security-related documents is acceptable to fulfill ISO 27001 criteria.

Another possibility is you adjust your current document to define the specification for information security. For example, you can write:

• “QMS documents are approved by [job title responsible for QMS], and ISMS documents are approved by [job title responsible for ISMS]
• Information Classification levels are applicable only to ISMS documents
• Permission for retrieving records are applicable only to ISMS documents

FDA

1. Does the EU has also an emergency use authorization as FDA does for medical devices, specifically ventilators?

Yes, the EU also has a strategy rescue stockpile of medical equipment for COVID-19. All details you can find on the following link: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_476  

2. Are you familiarized with the process for EUA Authorization of the FDA?

Yes, we are familiar with the information that can be found on the Internet. Feel free to ask what interests you.

Verifying customers' identity

"Should we be verifying customers' identity via email when the email they are contacting us from is the same email they used to purchase a product from us?"

I assume you are asking if you need to verify the identity of the customer when he/she contacts you in order to excersice the data subject's rights. The answer is yes, you need to be sure that the indivual requesting to access, delete, modify personal data is the legitimate data subjects. 

Here you can find more information about data subjects rights:
Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you want to understand how to implement GDPR compliance in your organization, you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Manage Risk Effectively

First, ISO 9001:2015 promotes using the process approach. Using the departmental approach is not wrong, but it is not the most effective approach.

In this free webinar on-demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/ - I show some examples of determining risks and then acting on them. ISO 9001:2015 mentions risk about:

• Context interacting with interested parties (clause 6.1)
• Products and services (clause 5.1.2 b))
• Processes (clause 4.4.1) 

Your organization is a set of interrelated processes. Each process is a set of activities that transform inputs into desired outputs.

ISO 9000:2015 defines risk as to the effect of uncertainty. Because there is uncertainty, sometimes we don’t have the expected:

• Inputs
• Activities
• Outputs
• Results 

For example, what is a non-conformity? We don’t design processes to deliver non-conformities. So, when a non-conformity happens, we have the manifestation of risk. Non-conformities are potential risks that have materialized. Same for complaints.

Seen in this way, the risk-based approach is a very effective methodology for developing a plan to control a process, its quality, and its results. The control will materialize, for example, in operations of control, verification, improvements in the process, in work instructions, in improvements in monitoring, in increasing the competence of the participants.

You can find more information below about risks.

• How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
• How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
• For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
• Enroll for a free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (I use a lot of examples based on the risk-based approach)

Questions regarding ISO27001 documentation

1 - In the pack that we bought, we can’t find the document regarding Business Continuity Strategy. First I thought that it is the same as the Disaster Recovery Procedure but after having a look here https://advisera.com/27001academy/documentation/business-continuity-strategy/, I found out that this is not the case. Could we receive a .doc italian version of this document, like we did for the rest?

ISO 27001 aspects on business continuity process (section A.17 from ISO 27001 Annex A) are related to ensuring the availability of information and information systems during either crisis or disaster situations, so a Business Continuity Strategy document is not mandatory for this standard, and you will only need the DRP template included in your toolkit. In this DRP template, in the first row of the table in section 3 you can describe an overview of your Business Continuity Strategy (this will be sufficient for ISO 27001 purposes). 

2 - All along the instructions we can see that the documents refer to clauses (e.g., A.17.2.1, 7.5…). These clauses sometimes match with the code of controls, other times they don’t. Do these clauses refer to controls or not? If yes, why don't they always match? If not, what do they refer to and is there a list of clauses?

Please note that references to controls from ISO 27001 Annex A start with “A.” (e.g., A.17.2.1 refers to control Availability of information processing facilities), while references to clauses from the main part of the standard (clauses 4 to 10) start with a number (e.g., 7.5 refers to Documented information).

This material can provide you more information about ISO 27001 clauses:- Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001 

3 - In our documents we put the reference documents towards the end of the documents in the same table with the records. Is that ok or is it better to separate them and put the Reference documents at the beginning of the documents like you did?

You can keep your reference documents as you define them. ISO 27001 does not prescribe this level of detail in formatting documents, so organizations can define the content order as best it fits them.

4 - In some of our documents/politics we describe the Violations of the Politics in a dedicated paragraph while in your documents we don’t find them. Can we keep these paragraphs regarding Politics Violation or not?

You can keep your paragraph dedicated to Violations of the Politics in your documents. ISO 27001 does not prescribe this level of detail in document content, so organizations can define the content as best it fits them.

5 - Can we put a document/section with the Organisation chart emphasising the key figures with responsible roles in ISMS? And linked to this topic two more questions: could we use a RACI matrix in the documents?  Could you suggest the best way to call these figures in Italian?

Key roles and responsibilities for the ISMS are included in the Information Security Policy template (section 4.4). Please take a look if the information in this section of this template can fulfill your needs. If yes you can include the organizational chart, but you also can develop a separate document to present this chart.

Regarding the RACI matrix, you can use it in the documents, as a means to provide a quick view about how something needs to be done, but please note that required responsibilities are already defined alongside the documents, and you need to ensure the RACI matrix covers them properly.

In the Italian version of the toolkit we translated the ISMS roles in various policies and procedures where we found an appropriate term in Italian; the rest are left in English.

Microbiology Lab for Implants (Plates and screws)

The main point here is that these medical devices must be sterile. So I assume they are produced in a cleanroom. Microbiology requirements then include the following:

• Microbiology monitoring of the environment (surfaces, air, workers hand, machines that are used in the cleanroom)
• Bioburden before sterilization so that you know what is the microbiological load of your products to know which sterilization method to choose
• Testing the sterility of your product after the sterilization

All of this is stated in the following standard:

• EN 556-1:2001 Sterilization of medical devices - Requirements for medical devices to be designated "STERILE" - Part 1: Requirements for terminally sterilized medical devices

The microbiology laboratory for performing all this work must be accredited. It is stated in the MDR 2017/745, Article 106 - Article 106 – Provision of scientific, technical, and clinical opinions and advice – that the EU Commission designated the expert laboratories. Accreditation is one way how a laboratory can be designated.

For more information, please see:

• EU MDR Article 106 - Article 106 – Provision of scientific, technical and clinical opinions and advice https://advisera.com/13485academy/mdr/provision-of-scientific-technical-and-clinical-opinions-and-advice/