Search results

ISO 9001 Pregunta

La frecuencia para la evaluación de los proveedores debe ser determinada por las necesidades de la organización, ya que la norma no establece ningún método específco. 

La norma ISO 9001:2015 requiere que evaluemos a los proveedores que inciden directamente en la calidad de nuestro producto o servicio. Por ello es crucial llevar a cabo una evaluación inicial para que pueda entrar a formar parte de nuestra lista de proveedores aceptados, y posteriormente llevar a cabo un seguimiento que incluye una reevaluación de los mismos. Las evidencias relacionadas con la re-evaluación o seguimiento de nuestros proveedores puede incluir información documentada del análisis de no conformidades, incidencias, cumplimiento de proveedores, relacionados con las actividades de los proveedores.

Respecto a los criterios, de nuevo es algo que debe ser decidido por la organización, y son una serie de elementos necesarios para poder evaluar los proveedores, como por ejemplo los relacionados con los costes, el cumplimiento con una norma, la calidad y el plazo de entrega, estabilidad financiera, etc. Una vez tenemos los criterios podemos evaluar los proveedores y clasificarlos, por ejemplo utilizando una puntuación segun cumplan con los criterios seleccionados.

Para más información sobre la evaluación de proveedores en ISO 9001:2015, vea los siguientes materiales: 

- How to evaluate supplier performance according to ISO 9001:2015: https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/

- Curso gratuito en línea - Fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

- Libro - Gestión de documentación ISo: una guía en un lenguaje sencillo: https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/

ISO 9001 Pregunta

Los requisitos respecto a la información documentada del Sistema de Gestión de Calidad se encuentran en la cláusula 7.5.

En general, la documentación tiene que estar controlada, para que se encuentre disponible cuando sea necesaria y que esta documentación sea adecuada para su utilización. Cuando se crea o se actualiza la documentación, la organización tiene que asegurarse de que se identifica, se describe, y se revisa que tal documentación sea adecuada para poder posteriormente ser aprobada.

Así mismo, la empresa debe determinar cómo lleva a cabo distribución, el acceso, la recuperación y la utilización de dicha documentación.

Para más información sobre la publicación de documentos de la empresa vea los siguientes materiales:

- Some tips to make document control more useful for your QMS: https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/

- What does external documents control mean in ISO 9001: https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/

- Curso gratuito en línea - Fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

- Libro - Gestión de documentación ISo: una guía en un lenguaje sencillo: https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/

Do I need iso 13485 for prosthetic liner manufacturing?

Yes, the prosthetic liner is a medical device so you need to have implemented ISO 13485:2016. Also, since the prosthetic liner is custom made device, then you need to prepare all necessary documentation as stated in the Medical device regulation MDR 2017/745, in:

• EU MDR Annex 13 – Procedure for custom made devices https://advisera.com/13485academy/mdr/procedure-for-custom-made-devices/ and
• EU MDR Annex 9 – Conformity assessment based on a quality management system and assessment of the technical documentation https://advisera.com/13485academy/mdr/conformity-assessment-based-on-a-quality-management-system-and-assessment-of-the-technical-documentation/

For more information on ISO 13485, please see the following links:

• What is ISO 13485? - https://advisera.com/13485academy/what-is-iso-13485/
• Checklist of ISO 13485 implementation and certification steps - https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
• How to get ISO 13485 certified - https://advisera.com/13485academy/iso-13485-certification/
• Clause-by-clause explanation of ISO 13485:2016 - https://info.advisera.com/13485academy/free-download/clause-by-clause-explanation-of-iso-13485
• How can ISO 13485 help with MDR compliance? - https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/

• ISO 9001 Internal Audit

  In a civil engineering consultancy firm, you have to design an audit program that includes both auditing headquarters and auditing construction sites where your organization is providing its services.

  After that major difference auditing a civil engineering consultancy firm is similar to any other audit. Define the objective, the scope and the criteria. Prepare, perform and report the audit. Please check this free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/

  You can find more information below:

  • ISO 9001 Horizontal audit vs. vertical audit - https://advisera.com/9001academy/blog/2015/03/03/iso-9001-horizontal-audit-vs-vertical-audit/
  • ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
  • Free online training ISO 9001:2015 ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ nal-auditor-course/
  • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

• ISO 9001 Question

  After reading your description I made the following drawings. First:

  

  And second:

  

  1. How to apply requirements of subject clauses 8.5 & 8.6 of ISO 9001:2015 in our above-mentioned activities? 

  Answer:

  Your organization provides different kinds of services and each time a ship is serviced a different combination of services and parts may be required. So, I’m thinking about designing how each individually service should be performed with what kind of procedures, records and controls, as a kind of library of services.

  Each provision of service in a particular ship in a particular request will be a combination of one or more services. You only add the monitoring and control of the set of services in place. After a request for intervention your organization designs and develops a project for that particular request. If you look into each service in your library, you can draw a flowchart from start to end and you can apply clause 8.5. In that flowchart you can identify all places where there are risks of something being wrong and design a quality control plan (clause 8.6)

  2. How to develop a process flow chart for above activities? 

  Answer:

  If you try to develop a process flowchart for all activities at the same time it will become a big mess and it will not be useful. A model it is not about describing reality as it is, a model is about describing reality in a useful way. So, that is why I recommend developing a process flow chart for each service and then, develop a project flow chart about how the whole intervention will be managed and controlled.

  3. Is it necessary that all OEMs & Equipment Servicing companies ?  
  Repairers to be evaluated for their performance as per Clause 8.4 of ISO 9001:2015 which normally is extremely difficult in our case ? 

  Answer:

  It is up to each organization to determine what kind of qualification is required for its suppliers. For example, an organization may decide no qualification for a supplier of standard parts but may require more for a supplier of made to order customized parts. About evaluation of performance your organization may decide which suppliers are critical and only evaluate those suppliers.

  You can find more information below:

  • Risk-based thinking is a great way of implementing prevention and control into a quality management. ISO 9001:2015 promotes the process approach and in this free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ I show how to relate processes, risks, training, documentation and control
  • Purchasing in QMS – The Process & the Information Needed to Make it Work - https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ where I use the risk-based thinking in several examples.
     

• ISO 9001 Question

  QA agreement is also valid for services suppliers?

  Answer:

  Of course, it is, as long as both parties understand it, and reach an agreement about service level

  How can we efficiently and clearly accept all of the above-requested information in QAA? According to ISO 9001 2015, which sections?

  Answer:

  Before an agreement is reached there is a negotiation. Each party comes to negotiation with a proposal. Imagine that your organization will be responsible for doing those 7 points. What kind of competency requirements, procedures, records and control you would implement? That can be your starting point for the negotiation. About ISO 9001:2015, for starters consider clause 8.4.1 c) and 8.4.3, your organization is buying processes, what in previous versions of the standard was known as subcontracting or outsourcing. For other clauses I see things like these:

  – 8.4, 8.6 and 8.7
  – 8.2.1, 8.5.5 and 8.7
  – 8.5.1 h)
  – 8.2.1, 8.5.5 and 8.7
  – 8.5.6
  – 8.5.1 f) h)
  – 8.5.2

  Can we audit the supplier processes according to VDA 6.3?

  Answer:

  Again, that should be included in the QAA. Please check ISO 9001:2015 clause 8.4.3 f)

  The following material will provide you more information:

  • Purchasing in QMS – The Process & the Information Needed to Make it Work - https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ where I use the risk-based thinking in several examples.
     

• ISO 9001 Identifying and Assessing Risk and Opportunity

  First, although useful, it is not mandatory to use a risk and opportunity matrix/criteria to evaluate risks and opportunities.

  I recommend using a very simple matrix for any level:

  

  Where L stands for Low, M for Medium and H for High. Severity is more for risks, for opportunities you may use Advantage.

  After using this approach for some time you can refine the matrix and include more factors if considered relevant.

  The following material will provide you more information about risks and opportunities:

  • Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
  • How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
  • Please check this free webinar on demand - Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ where I use the risk-based thinking in several examples.
     

• ISO 14001 minimum requirement

  There is no minimum requirement. The whole standard is applicable. However, the application is not blind, the application will be a function of how your consulting business interacts with the environment with aspects and impacts. A small consulting business will have a small interaction with the environment.

  You can find more information below:

  • ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
  • Risks and opportunities in ISO 14001:2015 – What they are and why they are important - https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
  • Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
  • ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
  • Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ 

• Implementation of ISMS

  1 - How and where to start in project for ISMS implementation.

  Roughly speaking, ISO 27001 implementation steps can be resumed in:

  1. getting management buy-in for the project;
  2. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
  3. development of risk assessment and treatment methodology;
  4. perform a risk assessment and define the risk treatment plan;
  5. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
  6. people training and awareness;
  7. controls operation;
  8. performance monitoring and measurement;
  9. perform internal audit;
  10. perform management critical review; and
  11. address nonconformities, corrective actions, and opportunities for improvement.

  This article will provide you a further explanation about ISMS implementation:

  • ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

  These materials will also help you regarding the ISO 27001 implementation:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  2 - Do you have any knowledge base which talks about step by step ISO 27001 implementation state. This project involves many stakeholders like application security , database track etc. So how to manager those team, as i am alone from GRC team. I have to ensure entire service tracks are aligned with ISO 27001 requirements. So please provide your valuable inputs.

  Our website provides several articles and free downloadable material that can help you with several issues related to ISO 27001 implementation, such as:

  • Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001
  • Checklist of mandatory documentation required by ISO 27001:2013 (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001
  • Step-by-step explanation of ISO 27001/ISO 27005 risk management (PDF) https://info.advisera.com/27001academy/free-download/step-by-step-explanation-of-iso-27001-risk-management
  • How to Budget an ISO 27001 Implementation Project (PDF) https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
  • Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation

  To see how documents compliant with ISO 27001 looks like, I suggest you take a look at the free demo of our ISO 27001 documentation toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

• Risk Management and "Asset value" & Asset Criticality

  1) Does ISO 27001/27005 requires the Risk Management process to use asset value as part of calculating the risk assessment level.

  ISO 27001 and ISO 27005 do not prescribe the use of the asset value for risk assessment, so organizations are free to use any approach they see fit to their needs.

  For further information, see:

  • ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
  • How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

  2) Does the standard require asset valuation as part of the Risk Management process? Or can be seen as an input, rather than a direct output of the process. That is to say, asset value is important to me as Risk Manager, but I need that input from the organization. It is not my responsibility to produce it as part of the RM process

  ISO 27001 requires only that risks are evaluated, so you can either obtain this value as a result of asset valuation, or any other risk management related process or from direct input from the personnel involved in the risk assessment process. Please note that in either case, the responsibility for the value is from the personnel involved in the risk assessment process, but you, as Risk Manager, must ensure the processes are performed in the right way, and with the proper personnel.

  3) What is the relationship between asset value and criticality assessment (like FIPS 199/200)? Again, I see asset criticality assessment as an input to RM, alas, not something that I am responsible for as part of the RM process.

  Criticality analysis is a systemic approach to identify how critical an asset is to the business, to support the evaluation of potential risks, and highlight any business impacts associated with such risks. Considering that, for this approach, you do not need the asset value, but only the identification of the asset itself (in this case, you need to evaluate the impact caused by the lack or failure of the asset).

  4) Finally, have you written a solid book (like the one on 22301) that explain in details how 27005 should be applied section for section?

  Since ISO 27005 is a supporting standard for ISO 27001 implementation, we did not develop a book covering this specific standard but used its guidance and recommendations to develop the ISO 27001 Risk Management in Plain English.