Search results

Annex A.14.2 controls

When we talk about developments within the organisation are we talking solely about development of software for use within the organisation, or does this include development of commercial software as a product to be sold to customers?

Please note that the term "developments within the organization" refers to the development process, not to the final users, so it is applicable both for when developed software is for internal use or is to be sold to customers.

Secondly, does the word development include the configuration (no coding or customisation) of commercial software packages such as Microsoft Dynamics CRM, or Xero accounting.
So, if development of c

The configuration is an action related to installation, not development.

Considering both previous answers, control A.14.2 would be applicable in case the mentioned development process covers commercial software.

ISO 27017 and ISO 27018

I'm assuming that by ITU you mean "International Telecommunication Union".

Considering that, ISO 27017 was developed in collaboration with ITU-T and there is a text-based on this standard published as ITU-T. X.1631 (07/2015), so controls from this standard are covered by ITU. Regarding ISO 27018, it only references ITU-T Y.3500, so probably some additional documents may be required (we are not experts on ITU, so we cannot provide a more precise answer).

Psychology within the scope of risk treatment and analysis

Psychology within risk treatment is out of our field of expertise, but in a general way, for every risk where the human factor is involved, you should consider means, motivation, and opportunity when analyzing a situation. By elimination of these elements from the situation, you can decrease the risk, and for controls, you should consider:

• definition of roles, responsibilities, and authorities, so people understand what is expected from them (this provide guidelines for the other two practices)
• awareness and training, so people understand why information security is important, the consequences of incidents, and how to perform their activities (this decreases motivation)
• segregation of duties, so a single person cannot perform all required task (this decrease means and opportunities).

These articles will provide you a further explanation:

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
• Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

Final inspection

Before sending your finished product to customers/clients want kind of control should be done to ensure that specifications are met? What to control? How to control? With what frequency? What should be the sample size? Who will control? Where to record the results?

The following material will provide you more information about inspection:

• Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/ Article - How to establish QMS Statistical Process
• Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 –
  https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ 

ISO 9001 Audit question

I think that the two most common questions during an ISO 9001 audit are.

What is your organization’s quality policy?
What is your work? What are you doing? How do you know what to do or how to do?

The following material will provide you more information:

• What questions to expect on the ISO 9001 certification audit - https://advisera.com/9001academy/blog/2016/04/19/what-questions-to-expect-on-the-iso-9001-certification-audit/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Soil Testing

ISO 14001:2015 in itself has no mandatory requirement about soil testing. Soil testing is mandatory if national legislation requires it, or if internal procedures require it.

You can find more information below:

• How to create an ISO 14001 list of legal and regulatory requirements - https://advisera.com/14001academy/blog/2019/11/04/iso-14001-legislation-checklist-how-to-create-it/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Corrective Action Request

Clause 0.5 is to avoid the situation where you start with a quality audit and finish with a nonconformity about taxes, or you start with an environmental audit and finish with labor relations or social accoutability nonconformity 

Any auditor, internal or external, should stick to the scope and criteria provided before preparing the audit.

Without knowing in detail your documentation I can think that more focus and attention from auditors and audit program manager about objective, scope and criteria can be enough.

Guidelines for complying with ISO 13485 regarding validation and computerized system validation

This basically depends on the type of the medical device that you have and regulations that you need/want to be in compliance with.

In general, in ISO 9001:2015 validation is defined as "confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled". As for medical devices, validation involves an "assessment by objective means of whether the specified users are enabled to achieve the specified goals (intended purpose) within the specified context of use".  

Computer System Validation (CSV) is a documented process of assuring that a computerized system does exactly what it is designed to do. Requirements for validation of computer systems can be found in:

• FDA 21 CFR part 820.70
• FDA 21 CFR part 11.10
• FDA 21 CFR part 11
• FDA Guidance Document regarding Software Validation
• ISO 13485, in chapters 4.1.6, 7.5.2.1 and 8.2.3
• Good manufacturing practice directives
• Guidance to achieve compliant computerized systems (GAMP 5), e.g. regarding the "risk-based approach of testing GxP systems"

For more information on validation, please see following articles:

• Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/
• How to establish process validation in the QMS https://advisera.com/9001academy/blog/2017/01/31/how-to-establish-process-validation-in-the-qms/