Search results

Applicable ISO 9001 clauses for implementation in a software company

If they decide to go for ISO 9001 certification only clauses from section 8 can be candidates for classification as non-applicable. ISO 9001:2015 is a generic standard applicable to all kinds of organizations. The company:

• Has clients and consumers – clause 8.2 is applicable.
• Develops software - clause 8.3 is applicable.
• Buys resources - clause 8.4 is applicable.
• Software must be manufactured, lines of code have to be written and tested, bugs must be removed - clauses 8.5, 8.6, and 8.7 are applicable.
   

Inside 8.5 typical candidates for non-applicability are:

• Subclause 8.5.3 – does the company works with confidential information provided by the client? Does the company install the software at the client’s premises? If a new version of software originates problems for the client, does the company is liable? If yes to one of these questions the clause is applicable.
• Subclause 8.5.4 – preservation seems not applicable at first sight but then look into the “NOTE”. You can find there the word “transmission”. What is that about? It is about how information is transmitted and protected, preventing risks of loss, tampering, and protection of information which may include property of the customer and supplier. There are examples of this information transmitted electronically such as electronic payments, mail, electronic files, computer files, information available on websites, etc.
• Subclauses 8.5.5 and 8.5.6 – include after-sales support and new versions

It seems that all clauses are applicable. 

While considering the use of ISO 9001 for software development activities, consider this support ISO/IEC/IEEE 90003:2018 - Software engineering — Guidelines for the application of ISO 9001:2015 to computer software - https://www.iso.org/standard/74348.html

For more information about exclusion, the right ISO wording is applicability, consider the following:

• Case study: Design and development in the software industry - https://advisera.com/9001academy/blog/2017/02/08/case-study-design-and-development-in-the-software-industry/
• What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/
• Free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar/
• Enroll for a free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

PPAP, FMEA, QP, PSW in ISO 13485 toolkit

Our course will cover these documents, and these documents are part of our toolkit. Our courses and documentation toolkit are designed to cover all the requirements of the standard. But for any other questions, we are at your disposal.

Supplier information security requirements

Please note that the supplier information security requirements are based on the results of risk assessment and applicable legal requirements, which are exclusive for each organization because they are related to their context and risk appetite.

For example, two organizations may have the same cloud provider, but because they have different risk appetites, a requirement for the less risk+tolerant organization may not be used by the more risk +olerant one.

Included in your toolkit there is a list of commonly adopted security clauses for suppliers and partners that can help you define your supplier information security requirements. This template is on folder 08 Annex A Security Controls >> A.15 Supplier Relationships

This article will provide you a further explanation about security clauses for suppliers:

• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

How Annex A controls relate to ISO 27001 Requirements

Requirement 6.1.3 “c” refers to a comparison between controls to be applied with those in Annex A, to ensure that no necessary controls have been omitted.

Requirement 6.1.3 “d” refers to the development of the Statement of Applicability (SoA), informing the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.

The full text of these requirements can be found in the ISO 27001 standard (https://www.iso.org/standard/54534.html).
Due to Intellectual Property rights, the standard is not included in the toolkit, but you can find some explanation about the requirements in this paper:

• Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001

Implementation ISO 13485 on making medical materials for medical laboratories

You can use it because ISO 13485 standard covers all necessary elements regarding the production; it guides you on how to best organize production, how to ensure that you know at all times what stage your product is at, how to ensure traceability (both raw-repro material and finished product) and the required purity. Regardless of the fact that ISO 13485 covers medical devices, this approach is acceptable for the production of any product.

However, please be aware that ISO 13485:2016 is standard for preparing quality management systems explicitly for manufacturers of medical devices. In section 3. Terms and definitions, in point 3.11 is described what a medical device is. A product may be a medical device if it has one or more of the following roles: diagnosis, prevention, monitoring, treatment, or alleviation of disease. Therefore, if your materials meet this definition (and the rest of what is written in point 3.11) then the materials for ISO 13485 are applicable. 

If you need more information what is ISO 13485:2016, please see following articles:

• What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
• How can ISO 13485 help manufacturing companies? https://advisera.com/13485academy/blog/2021/03/16/how-can-iso-13485-help-manufacturing-companies/
• How to get ISO 13485 certified? https://advisera.com/13485academy/iso-13485-certification/
• Checklist of ISO 13485 implementation and certification steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

• Document Control

  Besides the requirements you mentioned, the document control process also needs to consider appropriate:

  • identification and description
  • format and media
  • review and approval
  • control to ensure availability and suitability for use
  • protection

  This article will provide you a further explanation about document control:

  • How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

  This material will also help you regarding document control:

  • Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• SWOT analysis and management structure in ISO 9001

  “I want to understand the frame / process that is followed in creating an ISO management documentation - are you able to provide a structure.”

  In this article, you see the most common frame used to describe a quality management system (QMS) documentation - How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/

  It starts with the quality policy, the most high-level document in a QMS, continues with a quality manual, no longer mandatory with ISO 9001:2015, but still considered useful by most organizations to present a general description of the management system. For example, I recommend designing the quality manual based on the process mapping exercise of clause 4.4.1 b). Then come the procedures where we can describe what is done in the QMS, by whom, and when. When it is needed a more detailed description about how to do something in the QMS we use work instructions. At the base, we have forms that, once filled in, become records. We have also other records not generated by filling a form. For example, an e-mail sent by a customer with a complaint becomes a record.

  Procedures and work instructions are not mandatory. Please check clause 4.4.2. Each organization can consider a list of topics when thinking about what procedures are needed or not. Consider that procedure may be useful or needed because of:

  • The complexity of tasks – complex tasks are more prone to errors and mistakes;
  • Staff rotation – if staff rotation is high, people have not much experience and a procedure that someone can use as a guide in case of doubt is very useful;
  • Staff training – if staff training is very poor
  • Performance – if performance results show a bad performance perhaps procedures can help people in their work
  • Complaints – a particular case of performance
  • Requirement – if a law, or a standard, or a contract requires a procedure.
     

  “Also, I liked that a SWOT analysis is carried out.  Is a SWOT always carried out?"

  Carrying out a SWOT analysis is not mandatory. So, organizations may not use it. In this free webinar-on-demand, I show how the SWOT analysis can be used - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar/

  You can find more information about context, documents, and records below:

  • How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
  • List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
  • New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
     

• Conformio risk register, confused by some of the threat mappings for Human Resources

  Please note that the mentioned threats (Earthquake / Fire / Flood / Storm) can cause injuries on employees (making them unable to work), or preventing them from reaching the workplace, and if there is no replacement person to perform activities the business will be negatively impacted.

  This article will provide you a further explanation about matching assets, threats, and vulnerabilities:

  • ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

  This material will also help you regarding matching assets, threats, and vulnerabilities:

  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

• Clause 8.5.4 Preservation

  Sometimes to ensure product or service conformity organizations must control and prevent situations that lead to deterioration, loss, theft, end of validity, tampering, and so on.

  For example, raw materials while at a warehouse may be deteriorated due to high or low temperatures, or the level of humidity may be lost due to animal contamination or mixing with other substances. During manufacturing, dust or other types of contamination may generate product nonconformities. The finished product may be lost because temperature and humidity are not controlled, or handling is not well suited (remember the warning phrase “Fragile” in packaging). Finished products may also be lost due to bad practices at the warehouse, new batches are shipped before old batches until validity time is run-up.

  For example, at a restaurant consider temperature and contamination control to avoid food deterioration. An IT service provider considers measures to preserve the server’s performance. A university considers what should be done to ensure that exams are not disclosed.

  So, in your organization’s case look for situations like these and think about what should be done to prevent them.

  You can find more information below:

  • ISO 9001:2015 clause 8.5 Product realization – Practical examples for compliance - https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• Linking the external/internal issues and interested parties to the risk and opportunities

  ISO 27001 does not require an explicit identification/link between external/internal issues, interested parties, risks, and opportunities, so this issue is not a certification requirement.

  The standard only requires that external/internal issues, interested parties are determined.

  These articles will provide you a further explanation about internal/external issues and interested parties:

  • How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
  • How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
  • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/