Search results

Approved documentation for ISO 9001 audit

Please check this article about mandatory documentation - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

If you follow ISO 9001:2015 you don’t have to present documentation regarding internal or external issues. However, if in your management system approach you planned to document internal or external issues then you have to show them during the audit.

You can find more information about documentation below:

• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Customers' Feedbacks and Complaints

1. Would it be compliant that a medium size company (70 employees) to have separate procedures for Feedback and Complaint, Non-Conforming Product, Non-conformance and CAPA but the following logs: Feedback Log, Employee Suggestion Log (for employee feedback data gathering), CAPA log and just one log for both Complaints and Non-conformances.

Yes, it would be compliant for a company this size to have separate procedures for defined requirements. How you divide the registration logs, it seems OK.

2. If there were 2 logs, one for complaints and one for non-conformances and a complaint is received that is investigated and considered a non-conformance, shall that complaint appear in both complaint log and non-conformance log? Similarly, if a hypothetically a complaint is received and it is incident related, would it be registered in all logs applicable (complaint log, then incident log, then non-conformance log if it is due to a non-conformance, then in CAPA log when corrective action is required?) or can some of them be skipped (such as recording the incident straight into incident log rather than complaint log and in CAPA log to carry out relevant action plans?)

In my opinion, it is OK to have one log for complaints and non.conformances to skip repeating the information. If that is not the case, then you need to register a complaint in one log, and then connect that complaint with the non-conformance log. The best way to do it is that in the complaint log you have one column where you will, after the investigation of the complaint, put the number of the non-conformance that you will raise to solve this complaint.

3. Is it considered as being a complaint an instance when a customer is dissatisfied because his expectations are not met, but for meeting their expectations the regulatory requirements shall be broken?

Here, the only question is - has customer expectation been written somewhere (in contract, on the invoice, or similar). If there is no record of the customer expectation and even if it will mean that regulatory requirements shall be broken, in my opinion, it isn't a complaint. In requirement 7.2.2 Review of requirements related to the product is stated product requirements must be defined and documented, and the organization must review the requirements related to the product. Records of the results of the review must be maintained.;

4. I believe registering every issue that is detected in all the logs relevant is so confusing and time consuming.

Following articels can be helpful:

• Effective complaints management in a QMS - https://advisera.com/9001academy/blog/2014/09/16/effective-complaints-management-qms/
• Understanding dispositions for ISO 9001 nonconforming product - https://advisera.com/9001academy/blog/2014/11/18/understanding-dispositions-iso-9001-nonconforming-product/

• Understanding Context of the Organization and determining scope for Implementation of ISO 27001:2013

  1. How to understand Context of the Organization

  You can understand the context of the organization as any internal or external factor that can affect the ISMS. As examples of external factors (something that is outside the organization's control), we can mention new technologies, competitors, and laws. As examples of internal factors (something the organization can control or have influence over) are the organization's own resources and knowledge, its culture, and its employees' competencies. Understanding the context is essential to identify where the ISMS can be applied, its strengths and limitations. 

  This article will provide you a further explanation about the Context of organization for 27001:

  • Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

  These materials will also help you regarding the Context of organization for 27001:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 2700 1 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  2. and determine scope for Implementation of ISO 27001:2013

  According to ISO 27001, an ISMS scope must be defined in terms of information, locations, or business units to be protected, considering the organization's objectives and context.
  For small and mid-size organizations (up to 100 employees) often it is better to include all the organizations in the scope because the effort to keep only a part of the organization in the scope is not worthy. For bigger organizations defining a smaller scope may be better to reduce the costs and effort to what really matters for business objectives.  

  These articles will provide you a further explanation about defining scope:

  • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
  • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

• Vendor Reviews

  I'm assuming that by "Vendor log" you mean the document or system you use to record and manage your vendors.

  Considering that, to identify which vendors should be in your Vendor Log, and under periodic vendor review, you need to perform a risk assessment on your vendors, to identify if they can rise relevant risks that need treatment. Additionally, you need to evaluate the legal requirements you must comply with (e.g., laws, regulations and contracts), to identify if any of them has clauses defining specific vendors or conditions that will require vendors to be logged or reviewed periodically.

  These articles can provide further information:

  • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
  • ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
  • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

• Controlling Website Content

  In your documented procedure Control of documents, you can state that your particular website is also documented information, but you just need to explain somewhere (maybe in the SOP Control of document or in separate SOP) how do you control the website, who is responsible for the changes on the website, how is the back up provided, how do you collect any information from the customers, how data that customers leave on your website is protected and so on.

  For more information on documentation control, please see the following article:

  • Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/

  • Preparing the documentation

    You can see how our ISO 13485:2016 documentation toolkit looks like on the following link: https://advisera.com/13485academy/iso-13485-documentation-toolkit/

    You can even download the free demo on the following link: https://advisera.com/13485academy/iso-13485-free-demo/

    For more information on what is ISO 13485:2016 please see the following links: 

    • What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
    • Checklist of ISO 13485 implementation and certification steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
    • Six key benefits of ISO 13485 implementation https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/
    • List of mandatory documents required by ISO 13485:2016 https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/

    If you will have any other questions regarding the ISO 13485, please do not hesitate to contact us.

  • Training Validation

    Requirement 6.2 Human resources from ISO 13485:2016 states that the organization must document how to evaluate the effectiveness of the training. So there is what needs to be done, and not how to do it. It is totally up to you to define the method of training validation. Only keep in mind that you need to ensure the competencies for a particular job and the awareness in employees how they participate in the quality of both products and systems. 

    Your idea to create a different version of quizzes for a group of SOP sound great. 

    Here you can see how we in our ISO 13485:2016 documentation toolkit have prepared human resource procedure and record:

    • Procedure for Human Resources https://advisera.com/13485academy/documentation/procedure-for-human-resources-iso-13485-2016/
    • Training Record https://advisera.com/13485academy/documentation/training-record-iso-13485-2016/