Search results

Inspection and dock audit template and minimum criteria to satisfy IATF requirements

1. Is there a template for receiving inspection and dock audit?

Receiving inspection should be done according to the technical drawing of the product received. A number of samples, measured values, and specifications, visual result, certificate check result, packaging, labeling, weight, etc controls should be found on the relevant form. As you know dock audit is ‘’ a quick, final inspection of finished products before they are sealed, boxed, and approved for shipping. It is a visual inspection typically performed by quality control inspectors on the shipping dock of a warehouse shortly before the product is loaded onto a freight truck for delivery.

So, if it covers the above topics, you can use your own list of questions for dock audit and receiving inspection.

2. What is the minimum criteria to satisfy IATF requirements?

Dock audit is not a requirement for IATF 16949:2016, but you should do it if you have a customer's specific requirement. Receiving inspection should be made and should be measured according to the technical drawing of the product received, and if necessary, results such as appearance, weight, quantity, certificate control, etc.

Cyber Awareness Training

1 - How to start ? What have to be done the first?

Please note that there is no ideal or logical order to start viewing the training, so you can watch them according to your preference, or simply follow the sequence on which they are provided.

One tip could be for you to start with the videos about topics you are already familiar with, so you can understand the structure of the presentation. This way you can have a better experience when watching videos on topics new to you.

2 - How to start auditing the company on Information Security?

The internal audit can be performed by the organization's own employees, provided they have the competence and do not audit their own work. Or you can contract a third party to perform the audit.

As for choosing a third party to perform the audit, you should consider at least these criteria.

• Experience and skills
• Reputation
• Understanding your industry

These articles will provide you a further explanation about internal audit:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
• Qualifications for an ISO 27001 Internal Auditor <a href="https://advisera.com/27001academy/?p=4390&icn=free-blog-27001&ici=top-qualifications-for-an-iso-27001-internal-auditor-txt
" class="content-link Link" target="_blank">https://advisera.com/27001academy/?p=4390&icn=free-blog-27001&ici=top-qualifications-for-an-iso-27001-internal-auditor-txt
• 5 criteria for choosing an ISO 22301 / ISO 27001 consultant <a href="https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/?icn=free-blog-27001&ici=top-5-criteria-for-choosing-an-iso-22301-iso-27001-consultant-txt
" class="content-link Link" target="_blank">https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/?icn=free-blog-27001&ici=top-5-criteria-for-choosing-an-iso-22301-iso-27001-consultant-txt

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

• ISO 22301 Toolkit - BIA questionnaire questions

  Thank you for the answer. How to approach BIA analysis when some processes, e.g. related to IT or sales are maintained as part of services shared by a related company? The critical processes in my organization require them to function. In your opinion, should they do the BIA on their own or fill in my questionnaire?

  In situations like these, to comply with ISO 22301 you should fill out your BIA questionnaires only stating on which third parties you depend upon and for which activities.

  You do not need to know the details on how to ensure they can properly support your processes, because with the information you identify in the BIA you can define business continuity capabilities as continuity clauses in the contracts or service agreements you have with them.

  By the way, included in your toolkit you have access to a video tutorial that can help you fill in the BIA. 

• Questions regarding GDPR

  "I have two questions:Are there GDPR awareness training videos available? I am looking for a 30-1hr video for our employees which explains the guiding principles and responsibilities on organizations and their personnel.

  You can enrol in our free online training EU GDPR Foundations Course - the course has couple of hours of videos, but you can watch only the ones you consider appropriate: https://advisera.com/training/eu-gdpr-foundations-course//  

  Further, you can watch the security awareness training videos which are much shorter and have also some videos on privacy: https://advisera.com/training/awareness-session/security-awareness-training/

  In the paragraph below taken from the GDPR regulations. It refers to (commercial organizations). Could you elaborate on the intended definition of commercial organisation?

  The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection."

  It refers to all organizations which are bond by GDPR (companies, sole traders, freelancers, non-profit, associations, political parties, etc) GDPR does not apply to data transfer among individuals in their private life/domestic activities.

  Here you can find more information about GDPR applicability:

  • Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/

  • Timeline for updating documents

    For medical devices class I there is no strictly defined how often updates need to be done. And this is not about some time limit, but about the fact that these documents change depending on the situation. 

    The most common reason for changing the Clinical Evaluation is some risk that has arisen, or if something has happened to the competition so this is the input to you as well. It is expected that clinical evaluation. The clinical evaluation for Class I medical devices generally changes every 3-5 years. 

    In risk management, the situation is a little different. Every complaint you receive must be analyzed to see if it is already covered by your risk analysis. Any change of supplier, change of machine, change of production conditions, and even organizational changes must be analyzed and assessed how these situations affect the risks. This means that there will be a period that you will not change the risk analysis for a year, and then again there may be a period in which you will change the risk analysis several times within 6 months for example.

  • Question about records

    Records are types of documents that provide “proof of existence“, prove that certain process has been done. You need to record all the mandatory records which are directly required by the standard. You can see the List of mandatory documents and records required by ISO 13485:2016 in the following article:

    • List of mandatory documents required by ISO 13485:2016 https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/

    Of course, if some requirements are not applicable to you, then you do not need to generate these records. For example, if your product is not sterile, then you do not need to have records of sterilization and sterilization validation in your quality management system.

    The purpose of the List of records is to have in one place all your records, to know which record version is currently valid. On that list, there should be all records that you provide within your quality management system: both mandatory records required by the standard, but also any other record that you generate during the execution of your processes, which is proof that some process has been done. This list guarantees the exactness of entered data and prevents unauthorized entry, changes, and destruction of such records.

    If by CAPA you mean the records Corrective/preventive action request from our toolkit, that this record needs to be on the List of records.

    More information on document management you can find on the following links:

    • List of mandatory documents required by ISO 13485:2016 https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/
    • How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

    • Standard Operating Procedures in ISO 27001

      Please note that ISO 27001 main clauses (from 4 to 10) do not prescribe the development of procedures. Regarding ISO 27001 Annex A controls, the following controls, when identified as applicable, require the development of procedures:

      • A.12.1.1 Documented operating procedures
      • A.16.1.5 Response to information security incidents
      • A.17.1.2 Implementing information security continuity

      To see how documents compliant with these controls look like, please see:

      • for control A.12.1.1: Security Procedures for IT Department https://advisera.com/27001academy/documentation/security-procedures-for-it-department/
      • for control A.16.1.5: Incident Management Procedure https://advisera.com/27001academy/documentation/incident-management-procedure/
      • for control A.17.1.2: Disaster Recovery Plan https://advisera.com/27001academy/documentation/disaster-recovery-plan/

      These articles will provide you a further explanation about document management:

      • Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/
      • List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

      These materials will also help you regarding document management:

      • Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
      • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-9001-foundations-course/

    • CONFORMIO - Assets management

      Please note that when you perform a risk assessment on a group of assets it means that they share the same risk characteristics, like threats, vulnerabilities, likelihood, etc.

      For example, a category called “computer” can have as individual assets servers, desktops, and laptops. In case you assess risk for the category computer, it means that all individual assets have the same risk, so you do not need to assess each individual asset.

      Assessing an individual asset would be needed only if you have a risk specific (i.e., different threats, vulnerabilities, likelihood, etc.) for an individual asset in the category. For example, the risk of laptop theft could be different from the risk of server theft, so it may be interesting for the organization to perform risk assessments specifically for laptops.

      Considering that, to perform the risk assessment in Conformio for specific assets, you only need to go a step further in the identification of the assets (i.e., you can add a new asset choosing one of the assets included in the “computer” category).

      In case you want to assess two kinds of laptops separately, because they have different risks (e.g., financial laptop and development laptop), you would need to add two assets, and name them e.g., "financial laptop" and “development laptop”, and do the risk assessment. 

    • IATF 16949 Process Audit Checklist

      It would be more effective to make an automotive process approach for quality management processes system audits, the use of a checklist is not recommended.        

      For this, it may be necessary to receive training in internal auditors and the automotive process approach. During the audit, each process should be asked about goals, risks, and opportunities, responsibility, authority, training, etc. Apart from that, as an example, if the purchasing process is to be audited, the 8.4 clauses of the IATF 16949:2016 standard should be audited as the main subject.

    • Quality management system

      I never saw any use of the words “quality income” and ISO 9001.

      About the term “cost of quality” you can see it being used in this article - How to measure the cost of quality in line with ISO 9001 principles - https://advisera.com/9001academy/blog/2019/10/28/cost-of-quality-how-to-measure-it-in-line-with-iso-9001/ Before ISO 9001 I used the term “cost of quality” as a designation to the sum of cost of quality prevention (like training), quality control (like controller’s wages) and quality failure (like cost of defects and rework).

      Cost of quality can be a quality objective.

      Below, you can find more information about quality objectives:

      • How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
      • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
      • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/