Search results

Clauses related to engineering and production

Need one clarity like what are the clauses related to engineering in IATF.

Product, process design, and development clause of IATF 16949: 2016 standard is also related to engineering. This is related to articles 8.1 and 8.3 of the standard.

And what are the clauses related to production?

The production-related articles of the IATF standard are as follows. 8.5 complete -8.6-8.6.1 -8.6.3-8.6.6-8.7.1.1-8.7.1.2-8.7.1.3-8.7.1.4-8.7.1.5-9.1.1.1-9.1.1.2-9.1.1.3-10.2 .2-10.3.1 b) -10.3.2.

Training in the company

According to requirement 6.2 Human resources, the following documents are required: documented requirements for establishing competencies, providing the needed training, and ensuring awareness of personnel.

This means that you need to documents what are competencies needed for each job position (this is usually called Job systematization), what kind of training do you have (for example internal training, external training, self-education), how the training will be conducted (how the person can ask to go to certain training, how the management will define the budget for the education, what kind of records there will be); and how the effectiveness of the education will be conducted (will it be for each education or just for the educations that have the most impact on the business of product quality, how the effectiveness will be checked: by oral or written exam, monitoring the everyday work, or something else). 

Usually, the responsible person is the head of the human resource department. However, very often the head of each department is responsible to decide to which training it is necessary for the employee to go and to define the method of the effectiveness check.

On the following links, you can see with which documents we cover this topic in our ISO 13485:2016 Documentation toolkit:

• Procedure for Human Resources https://advisera.com/13485academy/documentation/procedure-for-human-resources-iso-13485-2016/
• Training Program https://advisera.com/13485academy/documentation/training-program-iso-13485-2016/
• Training Record https://advisera.com/13485academy/documentation/training-record-iso-13485-2016/
• Record of Attendance https://advisera.com/13485academy/documentation/record-of-attendance-iso-13485-2016/

• Toolkit content

  ISO 27001 does not require each control in Annex A to be implemented, only those deemed necessary as a result of risk assessments, legal requirements, or organizational decisions. To see the required documents by the standard, and the most common documents implemented to support an ISMS, please see this article:  
  - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  Our toolkits focus on small and mid-size companies, and that's the reason we do not write documents to cover each control – for those companies this large number of documents would result in overkill for many of them. Instead of that, a single template may cover multiple controls. In the root folder of the toolkit, you'll find a document called “List of Documents” that explains which control is covered by which document.

  A.6.1.1 - Information security roles and responsibilities are embedded in every document in the toolkit (you can identify its application on the field which requires a job title to be defined).

  For further information, see:  
  - How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
  
  A.6.1.2 - Segregation of duties is included in templates where such control is deemed applicable (e.g., in change management policy roles for request a change and approve one can be different), and the Statement of Applicability document provides a short guidance on how to implement this control. 
  
  For further information, see:
  - Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

  A.6.1.3 - Keeping in contact with authorities, A.6.1.4 - Keeping in contact with special interest groups, and A.6.1.5 - Information security in project management are not commonly used controls, so they do not have a specific application in the templates. Likewise for A.6.1.2, the Statement of Applicability document provides a short guidance on how to implement these controls.

  For further information, see:
  - Special interest groups: A useful resource to support your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms/
  - How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/

• Consent for processing children's data in the EU

  From the user experience that you described in this survey, the withdrawal of consent has a narrow timeframe which is fine, it can be also shorter, you can decide to erase data after reaching the purpose of processing which is to verify the identity of the teenage participant to the survey. So you can also implement a system that lets you a small amount of personal data for a limited period and develop only anonymous data. In this case, withdrawal of consent will be possible for a short period of time, but it is fine until you state it in the privacy notice.You can set different data retention periods, i.e., you may say that you are going to process localization data for 24 hours, IP address for 2 days, etc., and that at the end of processing you will keep anonymous data, removing all personally identifiable information.

  If you need more information about how to implement data subjects rights, these articles may help:

  • Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
  • Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
  • Four main questions for obtaining and managing data subjects’ consent under GDPR https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
  If you need to understand how to process consent under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Knowing ISO 27001 and ISO 22301

  Good morning, a question, I would like to know about the information security standards ISO 27001 and ISO 22301, can it be done for free or free and then certified?

  First is important to note that only ISO 27001 is about information security. ISO 22301 is about business continuity.

  Considering that, to know about these standards you can find many useful information in our blog posts and free downloadable material:

  • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
  • What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
  • Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001
  • Clause-by-clause explanation of ISO 22301 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-223012008

  Regarding certification, I’m assuming that you are asking about personal certifications.

  Considering that, some training providers offer courses for free, but for certification, you have to pay. 

  To see how our free-to-enroll ISO 27001 courses look like, please access these links:

  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
  • ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
  • ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
  • ISO 27001 implementation Free online training ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

• Symbol MD in the label of Medical Devices Class I (no sterile)

  Thank you, Kristina for the detailed response. 

• End of life and ISO 27001

  Using third parties with a physical presence in remote locations to manage corporate equipment is an acceptable solution for ISO 27001. In this situation, you also need to consider signing contracts or service level agreements including information security clauses to increase information protection (specifically how to dispose or re-use equipment).

  In case hiring third parties to collect or receive the equipment is not a viable solution, an alternative you can consider is the use of BYOD, where employees use their own devices to work, implementing software that either forbids the storage of corporate information locally in the device (e.g., employees can only access corporate resources through a virtual machine) or that allows a remote full reset of the device.

  Normally, these rules are implemented through a BYOD policy, which you can see how it looks like at this link: https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/

  
  This article will provide you a further explanation about the supplier relationship:

  • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  This article will provide you a further explanation about BYOD policy:

  • How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

  These materials will also help you regarding supplier management and BYOD:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Standard for chlorine dioxide sterilization of medical devices

  To my knowledge, there is no ISO standard for performing chlorine dioxide sterilization. However, besides that kind of standard, each sterilization process and sterile medical device must correspond to the following harmonized and state-fo.the-art standards:

  ISO 18472:2018 Sterilization of health care products — Biological and chemical indicators — Test equipment
  EN ISO 11737-2:2020 Sterilization of health care products - Microbiological methods - Part 2: Tests of sterility performed in the definition, validation, and maintenance of a sterilization process (ISO 11737-2:2019)’
  EN 556-1:2001 Sterilization of medical devices - Requirements for medical devices to be designated "STERILE" - Part 1: Requirements for terminally sterilized medical devices
  EN ISO 11140-1: 2014 Sterilization of health care products - Chemical indicators - Part 1: General requirements
  EN ISO 11140-3:2009 Sterilization of health care products - Chemical indicators - Part 3: Class 2 indicator systems for use in the Bowie and ****-type steam penetration test
  EN ISO 11737-1: 2018 Sterilization of medical devices - Microbiological methods - Part 1: Determination of a population of microorganisms on products
  EN ISO 11737-2:2019 Sterilization of medical devices - Microbiological methods - Part 2: Tests of sterility performed in the definition, validation, and maintenance of a sterilization process
  EN ISO 14937:2009 Sterilization of health care products - General requirements for characterization of a sterilizing agent and the development, validation, and routine control of a sterilization process for medical devices

• BIA and Risk Assessement

  1 - Thanks for the reply. I will highly appreciate if you can give me one example of risk which has been done for a BIA process.

  Answer: First is important to note that risks are not identified as part of a BIA process. Risk assessment and BIA are different processes. From risk assessment you can identify risks that can help you prioritize on which business process to perform BIA first. For BIA it is irrelevant which risks might materialize - the only relevant thing is the duration of the outage (irrespective of the incident).

  Examples of risks that can be identified and used to prioritize business processes to apply on BIA are fire, earthquake, bomb threat, and interruption of power supply.

  To see how such risks can help understand which business processes a BIA should cover first, I suggest you take a look at the demo of this template: https://advisera.com/27001academy/documentation/examples-of-disruptive-incident-scenarios/

  For further information, see:
  - Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
  - How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

  2 - Also as per you answer, should I perform RA only for the process which I have in BIA? If that’s the case, should I consider RA w.r.t People , process and technologies boundaries? or should I consider operational and business risks as well?

  Thanks

  Answer: In case your purpose is to ensure business continuity, considering the ISO 22301 standard, which provides requirements for business continuity management, then you should apply RA only for the process which you have in BIA (which are all the processes included in the Business Continuity Management System scope).

  Regarding risk categories, ISO 22301 does not prescribe which ones to apply, so you can define the ones that better fit your needs.

  To see how documents compliant with ISO 22301 BIA and RA looks like, please take a look at the free demos of these toolkits:
  - ISO 22301 Business Impact Analysis Toolkit https://advisera.com/27001academy/iso22301-business-impact-analysis-documentation-toolkit/
  - ISO 27001/ISO 22301 Risk Assessment Toolkit https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/