Search results

Aerospace and Napcap standards

The aerospace community have taken the ISO 9001:2015 standard and added some aerospace specific requirements into it, releasing this document as the AS9100 Rev D standard (https://advisera.com/9100academy/what-is-as9100/) which forms the requirements for a quality management system for aircraft, space and defense organizations. This standard is audited using a process audit approach just as other ISO standards for management systems are. It should also be noted that there is a replacement QMS standard for 2 specific types of aerospace companies; aircraft repair and overhaul organizations (AS9110) and stockist distributors (AS9120). Both of these standards are also based on ISO 9001:2015 but have different additions than AS9100 which is more generic. Training for AS 9100 auditing can be obtained from many of the same organizations that train for ISO 9001 auditing.

NADCAP auditing, on the other hand, is not like process auditing of a management system. This is a compliance auditing against the specific requirements for a NADCAP process to certify that each and every detailed requirement is met in the process; step by step. For this type of auditing, you would need to contact a NADCAP certified training organization where they can train and certify you to do NADCAP auditing. This may only be necessary for a company that has NADCAP specific processes.

You can read more on the companion standards to AS9100 in the article:

• How does AS9110 & AS9120 relate to AS9100 Rev D? https://advisera.com/9100academy/blog/2017/10/30/how-does-as9110-as9120-relate-to-as9100-rev-d/
• Connection between Nadcap and AS9100 Rev D – Which one do you need? https://advisera.com/9100academy/blog/2019/05/23/as9100d-and-nadcap-which-one-do-you-need/

• ISO 9001 - Mechanical Design Process

  Check ISO 9001:2015 clause 8.3.

  When your organization needs to design a new equipment, you have to consider:

  • Collecting all the design inputs (standards, performance requirements, legislation requirements, customers’ requirements, …)
  • Planning the project
  • Developing the project
  • Checking progress and conformity with design inputs
  • Final tests to confirm design inputs conformity
  • Validation tests during use
  • Control changes. 

  You can find more information below:

  • The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
  • About conducting design and development reviews consider - ISO9001 Design Verification vs Design Validation - https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/
  • ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

   

• Assets ISO 27001

  ISO 27001 does not prescribe a detailed level for assets, so organizations can define the detailed level that best suits them. This is generally a balance between the administrative effort and the need for information to ensure proper security. For example, you do not need to record organizations laptops as individual assets (you can add an asset called "laptop"), but if they have specific purposes with different risk levels you can use specific assets like "laptop", "development laptop", and "finance laptop". The same concept applies to the software of your organization and other assets. 

  For further information, see this article:

  How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
  These materials will also help you regarding:

  - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  - ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Procedure for the Software Life Cycle

  Each medical device software must be developt under the IEC 62304:2006 Medical device software — Software life cycle processes. In this standard is described how software life cycle procedure must be. 

  Our ISO 13485:2016 documentation toolkit covers only documented procedures and requirements directly asked in the ISO 13485:2015 standard. This documentation covers the Quality management system that is applicable for all manufacturers of medical devices. 

  Please understand that the range of medical products ranging from spoons for giving antibiotics to the artifitial heart. It is not possible that one documentation toolkit have all documentation from technical standards. 

• Is ISO 9001 listing of activities mandatory

  Unfortunately, we cannot give you a specific answer because we are not aware of categories OGi. What we can say is that the scope defines and communicates the borders of the management system. The scope should clearly describe the type of Products and Services covered by the system and provide sufficient information, preventing the transmission of erroneous or misleading information about what the organization covers in the management system and what it is able to provide to its customers. Describing a list of activities, instead of a general description, is used either to reinforce the message of something that the organization wants to highlight that it is included in the management system, or precisely the opposite, to communicate what is not included.

  You can find more information below:

  • How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
  • Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope -
  • Free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• List of documentation required by the data processor

  This is the list of mandatory documents required by EU GDPR to controller who is the subject liable of GDPR compliance in first instance.https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/  

  Processor’s documents which are mandatory under GDPR are less and indicated by the controller who need to give instruction to the processor. Usually mandatory documents for processor in their relationship with controller are:- The Data Processing Agreement and it should contains also instructions from the controller on how to process personal data.- The registry of processing activities as a processor.- Data Protection policy, and confidentiality clauses in agreements with people accessing data should be implemented.

  Other documents may be required by controllers in order to demonstrate compliance (i.e. a Data Processing Impact Assessment on the processing carried out by the processor), or a data breach notification procedure. 

  The processor should be available to receive inspections and audits from the controller.

  If you want to understand better data processor requirements under the EU GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

   

• Contract Review per ISO 13485 sec. 7.2.1, 7.2.2

  Yes, if the sales order is distributed by the ERP as is, it is OK and enough from the standard point of view.

• Difference between 3.10 Release in production/ market and 3.12 Transfer to production

  This is related to the general demands exemplified by health records.

• Audit

  I will be grateful if you can solve my next query.

  For some months I bought the Premium Package from you and I have been preparing for a company to be certified in ISO 27001.

  My question is: To what extent should I go so that the Certifying company does its audit? They must consider that I have completed all the steps required and mandatory by ISO 27001, having reached the "Awareness and training plan". I am only missing the points of "Internal Audit", "Review by management" and "Corrective actions" .... My question is, if these last 3 steps must be carried out before passing the Certification Audit.

  I must emphasize that, in my capacity as Consultant for the implementation of ISO 27001, I could not do an Internal Audit, because I should not be "judge and party".

  What should I do or what do you recommend?

  To go for certification, an organization must have evidence of the fulfillment of all requirements of the standard, as well as of the operation of all implemented controls.

  Considering that, the certifying company must perform an internal audit, management review, and treat corrective actions, before going for the certification audit.

  As for performing an internal audit, you still have some options: you can train organization employees to perform an internal audit (taking care they do not audit their own work), or the organization can hire an external auditor for performing this internal audit. 

  These articles will provide you a further explanation about certification:

  • Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
  • Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
  • How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

  These materials will also help you regarding certification:

  • Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
  • ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
  • Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

• Business continuity management

  ISO 22301, the ISO standard for Business Continuity Management, was designed to be implemented in organizations of any size and industry, so it can be applicable to a Pharmaceutical company.

  To see how documents compliant with ISO 22301 look like, I suggest you take a look at the free demo of our ISO 22301 Documentation Toolkit at this link: https://advisera.com/27001academy/

  This article will provide you a further explanation of ISMS implementation:

  • 17 steps for implementing ISO 22301  https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

  These materials will also help you regarding ISO 27001 implementation:

  • How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
  • Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/