Search results

ISO 9001 Risk identification

I always recommend following three ways to determine risks:

• Risks deriving from context and interested parties (see clause 6.1.1 of ISO 9001:2015)
• Risks deriving from products and services (see clause 5.1.2 b) of ISO 9001:2015)
• Risks deriving from processes (see clause 4.4.1 f) of ISO 9001:2015) 

In this free webinar on demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/ - I show some examples of determining risks and then acting on them.

After determining risks, you have to evaluate them to determine which ones are more relevant and deserve some kind of action (see clause 6.1.2 of ISO 9001:2015). ISO 9001:2015 is very flexible about how organizations decide to evaluate and to act.

Please check also this other free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/

You can find more information below about risks.

• How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
• How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
• For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (I use a lot of examples based on the risk-based approach)

Document control

ISO 17025 has the requirement for your laboratory to control documents and records. There are a number of reasons. Document control is not just about the unique identifiers (document name, number) and revision number. The purpose of document control is that plus to make sure the correct documents are in use, obsolete version are taken out of use. Furthermore to make sure all documents are reviewed periodically and have been approved.

If the form has been reviewed as suitable and you are meeting the other requirements, it is up to your laboratory to make a decision about the risk of hand written changes. You should document what you are allowing in your document control and record procedure to manage the risk – so that everyone understands what is and what is not allowed. Remember a form (blank template) is a document. Make sure the old form and number is in your record “List of Internal Documents” and you indicate teh old number as obsolete. Then create /renumber the form electronically and approve it.  Add it to the “List of Internal Documents”. Lastly, any handwritten changes should follow your procedure and should only be done by an authorised person with a neat line through the old number (so that it is still legible). Write, stamp or print the new number and initials of the authorised person on the preprinted "old" copies.

For more information on document control, see the ISO 17025 toolkit document template: Document and Record Control Procedure https://advisera.com/17025academy/documentation/document-and-record-control-procedure/

Additional requirements to become IATF certified when you are ISO 9001:2015 certified

According to IATF 16949: 2016 standard and IATF rules 5, organizations that do not design products and no product design responsibility; IATF standard, 8.3.2.2 "Product design skills", 8.3.2.3 "Development of products with embedded software", 8.3.3.1 "Product design input" and 8.3.5.1 "Product design and development outputs" are not responsible for these 4 items and must be excluded from QMS. According to the automotive standard and rules, the process design must always be within the scope and any production organization is responsible for the process design activity.

Details about Documents Assets

The information to be considered as an asset will depend on your ISMS scope.

For example, if your ISMS scope includes only R&D information, then employee information will not be an asset for ISO 27001. On the other hand, if the ISMS scope includes all organization's information, then employee information will be an asset.

These articles will provide you a further explanation about ISMS scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

For further information, see:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

ISO documentation

The first thing you need to do is review the organizational context, identify which internal or external issues have changed and after that review the risk assessment, to identify if new risks have arisen or if current risks have changed, so you can perform required adjustments.
 
Specifically for ISO 27001, you will need to update the Statement of Applicability and the Risk Treatment Plan.
 
ISO 9001 documents to be updated will vary according to the results of risk assessment.
 
This article will provide you a further explanation about SoA: 

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

These materials will provide you more information about what to consider in regard to work from home, and pandemic:

• What to include in an ISO 27001 remote access policy https://advisera.com/27001academy/blog/2019/04/23/iso-27001-remote-access-policy-how-to-develop-it/
• Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home
• How to use ISO standards to address a pandemic https://advisera.com/articles/how-to-use-iso-standards-to-address-a-pandemic/
• How to perform an internal audit remotely [free webinar on demand] https://advisera.com/27001academy/webinar/remote-internal-audit-free-webinar-on-demand/
• How to use ISO 27001 to secure data when working remotely [free webinar] https://advisera.com/27001academy/webinar/how-to-use-iso-27001-to-secure-data-when-working-remotely-free-webinar-on-demand/
• How to use ISO 9001 to control operations during the pandemic [free webinar] https://advisera.com/9001academy/webinar/how-to-use-iso-9001-to-control-operations-during-the-pandemic-free-webinar/

Asset movement register

I'm assuming that by "asset movement register" you mean a document used to record the movement of an organization asset (e.g., when it is temporarily or permanently transferred from one department to another, or when it goes outside the organization, for maintenance or to be used in travel.)

Considering that, for an asset movement register you should consider the following:

• the asset identification (e.g., serial number, model, etc.)
• the asset owner (the person who authorizes asset movement)
• the asset custodian (the person in possession of the asset)
• the current location of the asset, and to where it will be moved
• if the movement will be temporary or permanent (in case it will be temporary, the date by which it will be returned)

The asset owner and the asset custodian must sign the movement register.

Root cause analysis and corrective action plan

Root cause analysis can be performed in several ways, and since these approaches are easily findable on the Internet we do not have specific templates for them, but you can find useful information about 5 why and fishbone diagram in this article:
- How to use root cause analysis to support corrective actions in your QMS https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/

Is ISO 27001 relevant for clinical data management?

The purpose of ISO 27001 is to protect the information, and it was designed to be used by organizations of any size or industry.

Clinical data involves the handling of very sensitive information related to persons' medical information, which is under the protection of laws and regulations in several countries, and ISO 27001 can help clinics to fulfill related requirements.

These articles will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Audit and Risk Management

I'm assuming you are auditing considering ISO 27001.
 
Considering that, first you need to consult the Statement of Applicability, to identify which controls are related to license and patch management (e.g., A.11.2.7 Secure disposal or reuse of equipment, A.12.5.1 Installation of software on operational systems, and A.12.6.1 Management of technical vulnerabilities), and how these controls are implemented.
 
Based on that you can build a checklist with documents and records you need to look for.  

This article will provide you a further explanation about developing an internal audit checklist:

• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Organisational annual audit plan and audit of each department.

ISO 9001:2015 is not about departments, but about processes. So, determine which processes cross each department. When auditing a department you will audit the requirements around the processes that cross that department.

For example, purchasing department may be about purchasing (clause 8.4), about quality control at reception and nonconformities (clauses 8.6 and 8.7), about identification and traceability (clause 8.5.2), about production planning (clause 8.5.1), about preservation (clause 8.5.4), about warehouse conditions (clause 7.1.4). If you check, I identified the clauses by following the process since identifying a need for purchasing until receiving and storing in the warehouse.

About the annual audit plan, you should consider auditing all processes and ISO 9001:2015 clauses in two or more internal audits along a year.

The following material will provide you information about internal auditors:

• ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
• What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
• Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
• Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/