Search results

Records or Documents

Please note that documents describe rules to be followed and/or actions to be performed, whereas records evidence actions performed and/or results achieved. Additionally, documents can be updated, while records cannot (at most they can be complemented, i.e., new information can be added, but the original information cannot be changed).

Considering that, Risk Assessments are records (they evidence that risk assessment was performed and the assessed risks), as well as Risk Treatment Plans (they evidence which actions were performed to treat risks and achieved results). Since records cannot be updated, it only makes sense to apply version control on them if they can be complemented (in this case the information for version control can be the date of the last included complement). However, they need to have ways to be uniquely identified.

As records, they indeed need to have specific retention time, based on business and legal requirements.

This article will provide you a further explanation about record management:

• Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

These materials will also help you regarding record management:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Performance indicators for employee evaluation

ISO 9001:2015 sets no mandatory requirements to use performance indicators of an employee. So, if your organization wants to use them it is free to determine them. I can give some suggestions, linking performance of an employee to:

Performance of process indicators affected by the employee (process indicators are mandatory according to ISO 9001:2015)
Results of competence evaluation

The following material will provide you more information:

• How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
• How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• Please check this free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/  - how to relate processes and objectives
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Life Cycle Assessment

I recommend organizations to draw a flowchart with the main steps in the life cycle.

Then, design a table where the first column identifies the main steps. The other columns include topics like aspects, impacts, legislation or regulation related, legislation or regulation compliance situation, evaluation parameters and final result with decision upon significance.

Remember, ISO 14001:2015 uses the word "consider". So, the life cycle perspective implies the consideration of the material life cycle associated with products and services, not requiring a detailed assessment. Your organization should carefully determine which stages of the life cycle it can control or influence, which can vary widely depending on the context.

Please consider these sources of information:

• Lifecycle perspective in ISO 14001:2015 – What does it mean? - https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
• How does product life cycle influence environmental aspects according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

ISO 9001 Audit finding clarification

Sometimes I think the same. Sometimes I think there is a “political” use of the classification. As a general rule, you can follow that a major nonconformity is a situation where an organization:

Completely failed to fulfill a certain requirement.
Has a process that has completely fallen apart – rules are not followed systematically.
Has several minor nonconformities that are related to the same process or to the same element of the management system
If a certification mark is misused
If a minor nonconformity, raised during the previous audit, has not been resolved within the deadline – such a small nonconformity automatically becomes a major one.

You can find more information in the following links:

• Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
• Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ (includes a slide about the follow-up)
• You can enroll for free in this course - ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

Is ISO 13485 required by MDR?

Yes, you are right that MDR does not state that this should be ISO 13485. However, in Article 8 – Use of harmonized standards is stated that manufacturers must be in compliance with standards that are published in the Official Journal of the European Union. Currently available is the list published 17- 11-2017. On that list is more than 300 standards and the only standard that is covering the quality management system is ISO 13485:2016. That is why it is expected for the manufacturers of medical devices to have implemented ISO 13485:2016.

Of course, since there are a lot of standards on that list that have since been revised, it is expected that a new list of harmonized standards will be published after 26 May 2021, with regard to the full entry into force of the MDR.

For more information, see:

• EU MDR Article 8 – Use of harmonized standards https://advisera.com/13485academy/mdr/use-of-harmonised-standards/
• List of harmonized standards https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2020:090I:TOC

• Toolkit content

  The following documents may cover the documents you mentioned (you should consider seeing their free demo to evaluate if they can fulfill your needs):
  - Threat management policy and/or process: Incident Management Procedure https://advisera.com/27001academy/documentation/incident-management-procedure/
  - Policy and/or monitoring strategy: Security Procedures for IT Department https://advisera.com/27001academy/documentation/security-procedures-for-it-department/
  - Data management policy (rest, in transit and in third parties): Information Classification Policy https://advisera.com/27001academy/documentation/information-classification-policy/
  - Risk Impact Analysis (RIA): Risk Assessment and Risk Treatment Methodology https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
  - Crisis Plan: Business Continuity Plan https://advisera.com/27001academy/documentation/business-continuity-plan/

  For the remaining documents, they are not included in the toolkit because they are not commonly used in an ISO 27001 implementation, but in case you need to document them and find it difficult to write them by yourself, by buying the toolkit you will have access to support channels that you can use to clarify your doubts on how you should write them.

• Implementing and verifying items

  I’m assuming you are referring to ISO 27001.

  Considering that, to implement ISO 27001, broadly speaking, after getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:

  • defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties;
  • development of risk assessment and treatment methodology;
  • perform a risk assessment and define the risk treatment plan;
  • controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
  • people training and awareness;
  • controls operation;
  • performance monitoring and measurement;
  • perform an internal audit;
  • perform management critical review; and
  • address nonconformities, corrective actions, and opportunities for improvement.

  To see how documents compliant with ISO 27001 look like, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  This article will provide you a further explanation of ISMS implementation:

  • ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

  These materials will also help you regarding ISO 27001 implementation:

  • How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  How is the compliance of each ITEM verified?

  Compliance verification is performed by means of an internal audit. For the preparation for an internal audit you should consider these general steps:

  • identification of the audit scope (is it the whole scope or only part of it?)
  • review of the ISMS documents related to the audit scope (e.g., policies, procedures, and records), considering the main clauses from the standard (from sections 4 to 10), and controls from Annex A stated as applicable in your Statement of Applicability (SoA). 
  • review the status of the actions related to the decisions made in the last management review.
  • review the status of the raised nonconformities and opportunities for improvement.

  These articles will provide you a further explanation about internal audit:

  • How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
  • Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/

  These materials will also help you regarding internal audit:

  • ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
  • Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

• ISO 14001 PESTLE analysis

  Factors from a PESTLE analysis are external issues. Considering your organization’s strategic orientation and relevant interested parties you can classify those factors as positive or negative (opportunities or threats). If you do the same exercise for internal factors you can classify them as positive or negative (strengths or weaknesses).

  Now, you can match opportunities with strengths or weaknesses, and you can match threats with strengths or weaknesses, and what you get is a set of risks and opportunities.

  Although about ISO 9001, perhaps the technique that I use and present in this free webinar on-demand - Context of the organization, interested parties, and scope - - may be useful for you to work with context and interested parties to determine risks.

  Please check this information below with more detailed answers:

  • ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
  • ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
  • Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

• ISO 14001 benefits

  Start by reading these articles - 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/ and - ISO 14001: The benefits for customers - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/ - can you use one or more topics from the articles to support your proposal. Can your organization win new clients that demand ISO 14001 certification? Can your organization reduce costs due to a systematic improvement of environmental issues? For example, while implementing an environmental management system I was able to reduce costs and improve productivity by changing to water-based adhesives instead of solvent-based ones.

  You can find more information below with more detailed answers:

  • Project checklist for ISO 14001 implementation - https://info.advisera.com/14001academy/free-download/project-checklist-for-iso-14001-implementation
  • ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

• SCC

  It is the adopted version (the old one) because the draft of new Standard Contractual Clauses (SCC) is not officially adopted. 

  If you need to understand how to use SCC, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//