Search results

Business Continuity Management System Software Checklist

Some criteria you should consider for evaluating BCMS software are:

• Availability of online communication features, so employees have more freedom of work
• Features specifically designed to cover ISO 22301 core requirements (e.g.: business impact analysis, risk assessment, business continuity planning, document and record management, etc.)
• Availability of external support service and knowledgebase, because no software will help you solve 100% of the situations, and you will need expert advisement some moment
• References about performance and stability of the platform
• Cost for acquisition and maintenance.

This article can provide additional information:

• When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/

Question about auditors

1. Does the external auditor need to sit privately with the internal auditor and see his IA plan and its IA report and verify all his findings?

The external auditor does not need to sit privately with the internal auditor to perform the audit if he can use any other methods to find needed evidence to confirm that the internal audit is performed according to the standard.

Regarding the internal audit findings, the external auditor can work with a sample, provided this sample can provide enough confidence that the process is being performed according to the standard´s requirements.

2. Does the external auditor have a commitment and or obligation to verify his findings and corrective actions taken? Or simply look into his plans and its final report.

ISO 27001 requires the verification not only of internal audit plans and results (clause 9.2) but also of the results of any corrective action taken (clause 10.1), so corrective actions taken as a result of internal audits need to be verified by the external auditor (again, this verification can be performed over a sample). 

3. It’s well known that IA is not fully impartial and his IA report might not be a bit biased and or impacted by his senior management if he/she is not independently reporting to the highest authority?

In fact, problems of conflict of interest and impartiality can occur, but to be compliant with ISO 27001 an organization needs to ensure objectivity and impartiality from internal auditors and that these are reported to relevant management (clauses 9.2 e) and 9.2 f)), and the external auditor should verify the fulfillment of these clauses. 

4. Can the Internal audit out of transparency disclose any Nonconformities to the external auditor and or anything that the external auditor himself can not find during his short visit?

Members of an organization can provide additional information for an external auditor if they think this can improve the results of the external audit and help improve the organization, but in general disclosure of such information needs to be aligned upfront between auditees and the organization’s top management (normally disclosure of such information without previous alignment can lead to disciplinary process). 

These materials will also help you regarding audits:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
• Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

• Process owner of Training plan documents

  There is no definition on this subject in the IATF 16949: 2016 standard or the ISO 9001: 2015 standard. This issue may vary from company to company.

  In some organizations, all training documents are stored by the HR department. In some companies, HR department stores only for office staff, and for workers who are production employees, the relevant department stores. In short, this subject varies according to the size and structure of the companies.

• Timeline for processes audit

  According to IATF 16949:2016 standard, while making audit plans for the system and for the manufacturing process, it should be considered risk-based.

  These risks should be determined as follows:

  • Process changes Internal and external problems
  • New process or processes
  • New products or production technologies
  • Organization changes
  • Performance trends Customer complaints
  • etc

  The risk level should be determined according to these situations and the frequency of audits should be determined in a 3-year period. There is no requirement for one audit per year. If there is no risk, a process can be audited once in 3 years, or if there is a risk, another process can be audited 3 times a year.

  The IATF 16949: 2016 standard explains as follows.

  For System Audit; The organization shall audit all quality management system processes over a three-year audit cycle, according to an annual program, using the process approach to verify compliance with this Automotive QMS Standard. Integrated with these audits, the organization shall sample customer-specific quality management system requirements for effective implementation. The complete audit cycle remains three years in length. The quality management system audit frequency for individual processes audited within the three-year audit cycle shall be based upon internal and external performance and risk. Organizations shall maintain justification for the assigned audit frequency of their processes. All processes are required to be sampled throughout the three-year audit cycle and audited to all applicable requirements in the IATF 16949 standard, including ISO 9001 base requirements, and any customer-specific requirements.

  For Manufacturing Process Audit; Each audit does not have to cover all shifts in one audit (for example an audit of the pressing process could be done on shift 1 and 2, sampling shift changeover in year 1, and then in year 2 or 3 an audit undertaken on the third shift for pressing). However, all manufacturing processes must be audited on all shifts over a three-year cycle, the frequency depending on risk, performance, changes, etc.

  For more information, see:

  • IATF 16949 Audit Types & How they Affect Process Improvement https://advisera.com/16949academy/blog/2017/11/01/iatf-16949-audit-types-how-they-affect-process-improvement/  

  • Difference between ISO 13485 and EN 14683:2019

    ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes - is a standard that is applicable for all manufacturers of medical devices, it is considering the quality management system of the manufacturing the medical device.

    EN 14683:2019 Medical face masks. Requirements and test methods – is a standard that covers requirements under which medical masks must be produced and which tests must be performed to prove that medical masks are in compliance with this standard.

    So, those two standards complement each other, which means that medical masks must be designed and made according to the EN 14683:2019, but the manufacturer must have implemented a quality management system in accordance with ISO 13485:2016.

    For more information about ISO 13485:2016 please see the following articles:

    • What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
    • Checklist of ISO 13485 implementation and certification steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
    • Quality Management System: What is it? - https://advisera.com/9001academy/knowledgebase/quality-management-system-what-is-it/

    • ISO 9001 scope of the quality management system in a cemetery

      Start by thinking about who the cemetery’s customers are. What kind of services does the cemetery offer to its customers? From all the services provided, will all of them be part of the quality management system (QMS)?

      For example, without the proper vocabulary of the area, I can imagine something like: we provide services of burials, cremations, exhumations, and transfers.

      The scope defines and communicates the borders of the QMS. Consider the purpose of the scope, it should clearly describe the type of Products and Services covered by the system and provide sufficient information, preventing the transmission of erroneous or misleading information about what the organization covers in the QMS and what it is able to provide to its customers.

      The following material will provide you more information:

      • How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
      • You can see this free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope -
      • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
      • Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

    • industrialization KPI's

      You can set a project implementation budget target and look at the realization rate of this budget. The project implementation budget target should be set on an individual project basis. The project budget should be determined on a project basis. When you define the project budget,   you should take into consideration of; 

      - Number of the tool to be made, 

       -the new machine to be taken cost, 

      - the number of samples to be made, 

      - investment cost, 

      - Product validation, test cost 

      - New test machine investment 

      - travel cost to customer or supplier site, 

      - supplier investments,  

      - etc.

       

       

    • ISO 9001 Mandatory processes

      No, it is not mandatory to put in place such processes while implementing a QMS based on ISO 9001:2015. Please check the content of the antepenultimate paragraph of clause 0.4 of ISO 9001:2015.

      Please check this free webinar on-demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ - where I explain how to develop process mapping, drawing a model of how an organization works, based on the process approach, and how to draw a flowchart describing each process.

      The following material will provide you information about processes:

      • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
      • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (where I apply the process approach as the basis for developing a quality management system)
         

    • How far is the ISO 27001/GDPR package away from being ISO 27701 compliant?

      Please note that ISO 27701 was developed as an extension of ISO 27001 and ISO 27002. Considering that, ISO27001/GDPR toolkit is approximately 80% compliant with ISO 27701. The remaining 20% refers to small adjustments to include the protection of privacy in the context of the documents (e.g., where a document states “information security”, it now should state “information security and privacy”, and applicable controls should consider complementary privacy protection measures), and the inclusion of applicable controls specifically developed for ISO 27701 (in a total of 49 controls).

      For further information, read:

      • Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/

      These articles will provide you a further explanation about ISO 27001:

      • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
      • Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

      These materials will also help you regarding ISO 27001:

      • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
      • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    • Incident Management Procedure

      Records are specific types of documents used to evidence that activities were performed and/or results were achieved, and to be compliant with ISO 27001 standards you need to keep some records about incident handling, such as the incident log, for a period of time-related to some need defined by the organization, or by a legal requirement that must be fulfilled (e.g., a law, regulation or contract). Once the retention period is over you can dispose of the record, simply by deleting them, or through specific procedures to prevent them to be accessed once disposed of.

      Additionally, once a record is created, it cannot be amended, so access to such records need to be controlled.

      This article will provide you a further explanation about managing records:

      • Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

      These materials will also help you regarding records management:

      • Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
      • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/