Search results

Risk and control self assessment

For risk assessment you can consult these materials:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
• ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

To see how documents for risk assessment compliant with ISO 7001 looks like, see: ISO 27001/ISO 22301 Risk Assessment Toolkit https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

For controls self-assessment, see:

• Free ISO 27001 Gap Analysis Tool https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

Finding ISO 27017/18 content

The documents you are looking for which cover the mentioned clauses can be found in the following folders:

• Clauses on Service Agreements with cloud providers is covered by the Appendix – Security Clauses for Clients, Suppliers and Partners, located on folder 08 Annex A >> A.15 Supplier relationships
• User Data Privacy Protection Agreement Guidelines is covered by the Appendix – Security Clauses for Clients, Suppliers and Partners, located on folder 08 Annex A >> A.15 Supplier relationships and Policy for Data Privacy in the Cloud, located on folder 04 Information Security Policy
• Security Requirements Specification is covered by the Appendix – Security Requirements Specification, located on folder 08 Annex A >> A.14 System acquisition development and maintenance

By the way, included in your toolkit there is a List of Documents file which points out which document covers which clauses and controls from these standards.

Corrective action timeline

Attention, you are using correction and corrective action interchangeably. That is not right. First, you develop a correction to eliminate the nonconformity and its consequences. Then, if your organization decides to develop a corrective action, after determining the reason for the problem, the root cause(s), you have to implement a corrective action and, according to ISO 9001:2015 clause 10.2.1 d), you should review the effectiveness of the corrective action. So, you should state both criteria and a timeline to evaluate the effectiveness of the action.

Please check the following information:

• ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
• Check slide 17 in this free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Performing validation of process/activity

According to requirement 7.5.6 Validation of processes for production and service provision, validation must be done for processes in which the resulting output cannot be verified by subsequent monitoring or measurement. It means that, for example, validation is not necessary when the mass of the medical device is in question, because you can weigh each product and check is the mass according to the specification. However, if you have a sterile product, it is not easy to check the sterility of the product. In that case, you need to dexterous the product and make an analysis of sterility. This is not convenient because you will destroy all your products and have a lot of costs. For such processes, validation must be performed. 

Therefore, validation is documented evidence that declares a process or system will consistently meet a predetermined specification. It is a series of documented tests and gathered information that proves a system will produce a product that meets all specifications and standards. 

Very often, there are standards that guide you on what has to be done to validate certain processes. Some of the most used standards for validations for medical devices are the following:

• ISO 11737-2:2019(en) - Sterilization of health care products — Microbiological methods — Part 2: Tests of sterility performed in the definition, validation, and maintenance of a sterilization process
• ISO 11135:2014 Sterilization of health-care products — Ethylene oxide — Requirements for the development, validation, and routine control of a sterilization process for medical devices
• ISO 11607-2:2019 Packaging for terminally sterilized medical devices — Part 2: Validation requirements for forming, sealing, and assembly processes
• ISO 14644-2:2015(en)
• Cleanrooms and associated controlled environments — Part 2: Monitoring to provide evidence of cleanroom performance related to air cleanliness by particle concentration

For more information about this topic, please see the following articles:

• Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/
• How to establish process validation in the QMS https://advisera.com/9001academy/blog/2017/01/31/how-to-establish-process-validation-in-the-qms/

• Environmental sample handling

  In terms of ISO 17025; Sampling (clause 7.3), Handling of Samples (clause 7.4) and Facilities and environmental conditions (clause 6.3) conditions must be met. Record keeping, including chain of custody records are crucial. The actual best practices will depend on the parameter to be tested, and your sector / regulations. All will, however, cover sampling, preservation, handling, transport and storage. The requirements for microbiological, chemical, toxicological and biological assays differ widely, and cannot unfortunately be detailed in this response. There are International and National standards available, as well as guidance from organisations such as WHO, EPA and FDA; that you can look at.

  Have a look at the ISO International Classification for Standards (ICS) 13, for Environment, Health protection and Safety (https://www.iso.org/ics/13/x/) with 13.060 covering Water Quality (https://www.iso.org/ics/13.060/x/). Here, for example, you will find access to ISO 5667-3:2018 Water quality — Sampling — Part 3: Preservation and handling of water samples. For microbiology look at ISO 19458:2006 Water quality — Sampling for microbiological analysis.

  For WHO, EPA and FDA guidelines, I suggest you got their websites and search, based on your specific criteria. For example https://nepis.epa.gov/Exe/ZyPDF.cgi/P1000PUE.PDF?Dockey=P1000PUE.PDF provides the latest Supplement 1to the Fifth Edition of the Manual for the Certification of Laboratories Analyzing Drinking Water.

  For more information on ISO 17025 requirements for Sampling (clause 7.3), Handling of Samples (clause 7.4) and Facilities and environmental conditions (clause 6.3), see the ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

• Customer specific requirements

  Customer-specific requirement (CSR) is very important for the IATF 16949: 2016 standard. The standard requires customer-specific requirements (CSR) to be evaluated and adapted to the quality management system.

  1. CSRs should be read, and additional expectations should be indicated in a table. The table can be in any format you want. The table should show a match with the special requirement and documents in your quality management system.
  2. Special requirements contained in CSRs should be mentioned in Quality management documentation such as the relevant process, procedure, instruction, and/or quality manual.
  3. Of course, the relevant process owners should be knowledgeable and trained about these special requests. For example, one special requirement of VW is to make a process according to VDA 6.3. In summary, this requirement should be shown in the table, it should be matched with your QMS document, this requirement should be input into the relevant document. You should use the VDA 6.3 format for internal audit reports and your internal auditors should be VDA 6.3 certified.

  After reviewing the CSRs, it is also important to document an action plan about the issues you cannot comply with. This means that the CSR has been reviewed by the organization and there is awareness. Open actions should be completed as soon as possible.

  For more information, see:

  • How to satisfy customer specific requirements when implementing IATF 16949 https://advisera.com/16949academy/blog/2019/07/02/iatf-16949-customer-specific-requirements-how-to-meet-them/

  • Quality objectives in relation to ISO 9001 external audit

    No, it will not be a reason for nonconformity during an external audit, unless it is something that the company does systematically. For example, in a year like 2020 with events like the coronavirus, it is natural that many objectives, depending on the context, are not attainable.

    The following material will provide you more information:

    • Article - How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
    • Article - How to write good quality objectives: https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
    • Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 -
      https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
    • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
       

  • ISO 9001 most suitable approach

    Not all clauses are applicable in every area of an organization. I recommend starting from the process map. Organizations should develop a model based on the process approach. So, for each process study what are the applicable clauses from ISO 9001:2015 and what are the applicable internal documents. Please check these two free webinars on demand:

    • The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
    • How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ (includes a slide about developing checklist questions)
       

    You can find more information below:

    • Course - Free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
    • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • How to align current policies with ISO27001

    I'm assuming by your question that you are not considering certification, only compliance with the standard.
     
    Considering that, to align the stated policies with ISO 27001 you need to:

    • identify the processes where these policies are used.
    • identify legal requirements (e.g., laws, regulations, and contracts) that impact information security related to the identified processes.
    • perform the risk assessment process, to identify relevant information security risks related to the identified processes.
    • perform risk the risk treatment process, to identify how to treat relevant information security risks and which controls from ISO 27001 Annex A to implement.
    • Identify which controls from ISO 27001 Annex A to implement, based on identified legal requirements.
    • adjust the policies according to the identified controls.

    To see how similar policies compliant with ISO 27001 looks like, please see:  

    • Backup Policy https://advisera.com/27001academy/documentation/backup-policy/
    • Mobile Device and Teleworking Policy https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/
    • Policy on Use of Encryption https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/
    • Information Security Policy https://advisera.com/27001academy/documentation/information-security-policy/
    • Change Management Policy https://advisera.com/27001academy/documentation/change-management-policy/

    These articles will provide you further information:

    • ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    • Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/
    • How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
    • What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
    • How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
    • How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/
    • How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

    These materials will also help you regarding risk assessment and ISO 27001 Annex A controls:

    • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/