Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 9001 and itemized inventory as a requirement

    If you include that requirement as an explicit specification of your orders and if your supplier accepts that requirement you can expect and demand compliance with that requirement. Let’s see what ISO 9001 requires from a supplier receiving an order from a customer, you:

    Clause 8.2.2 is about receiving an order, or a request for a quotation from a potential client. Your ISO 9001 certified supplier wants to be sure about what is that the customer, you, want, it can be a standard product from their warehouse, but that is not enough. They need to know quantities, delivery date, any restrictions imposed by law, and even restrictions imposed by their own organization. For example, they may not deliver an order to a certain country, or to a PO box address.

    Clause 8.2.3 is about preparing to make a promise to the client, to you. The supplier already knows what the requirements and needs are, but before making a commitment, they must be sure they have the resources to comply.
    Can their organization comply with explicit requirements from the client, from you, for example, can they deliver the amount required on the requested date? Can their product really comply with a performance feature required by you?
    They know more about the product or service and conditions of use than any client. They may know about some implicit requirements not mentioned by you but required for the effective performance of the product. Is their organization in condition to comply with those implicit requirements?
    Can they comply with legislation and regulation applicable?
    Can they provide the product within the organization’s own internal rules? For example, will they accept a 200-days interval for payment according to the client requirements, when their organization’s internal rules are only 20 days?

    You can find more information below.

  • SOC 1 & 2 equivalent for International Vendor

    We're not experts in SOC 2, but there are many common points between SOC II and ISO 27001:2013 that may allow you to adopt ISO 27001 for due diligence for a new international vendor: risk management, internal audit, business continuity, access control, etc.

    If you want to know details about the similarities about both standards, and what resources can be shared, you can see the document “Trust Services Map to ISO 27001” in the official site of the American Institute of CPAs. You can find it at this link: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/othermapping/trust-services-map-to-iso-27001.xlsx

  • ISO 45001 mandatory clauses for an audit

    In clause 9.2.1 for internal audit the ISO 45001 standard simply states that the organization must audit that the OHSMS meets their own requirements, and the requirements of the standard. Using the recommended approach from ISO 19011, the idea is to perform an audit of the processes, rather than a clause-by-clause audit of the standard. During the audit you see if the planned process arrangements meet the ISO 45001 standard requirements, then you talk to people and see if they are meeting the process planned arrangements as identified by the company (because most of them won’t know the ISO 45001 standard, rather they know what they have been trained to do. With internal audit the audit is not done clause-by-clause, so there are no mandatory clauses to audit.

    When it comes to a certification audit, they will audit all of your processes, and then ensure that everything meets all of the requirements of ISO 45001. If you are auditing a supplier (second-party audit) then it is up to you what you want to look at; you don’t need to follow the standard at all (for instance you may just want to look at their nonconformance process). If you have specific requirements on a supplier, this is often the audit criteria used in a second-party audit.

     

    You can learn more about auditing using ISO 19011 in the article: How to perform an internal audit using

    ISO 19011, https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011

  • Documenting ISO 45001

    The ISO 45001:2018 standard does not define how you must create your documentation, or how it must look. In terms of procedures you can use whatever format works best for your organization, including flow charts, text documents, or even diagrammatic instructions if that is what works for your employees. As for records, again whatever format make sense to you for a particular record then that is what you can use. This is of course limited by any legal requirements that may exist for records and reports, such as a government form that needs to be submitted.

    The general flow for creating documentation should go like this: What information do we need to document? Is there a required format to use (such as legal or other requirement)? If not, what is the best, and simplest, way we can record this information so that it is usable for us?

    You can learn more about the new documentation requirements in the article: New approach to ISO 145001 documentation, https://advisera.com/45001academy/blog/2018/03/13/new-approach-to-iso-45001-documentation/

  • Privacy Shield being invalidated

    Since the European Court of Justice “invalidated” the Privacy Shield, data cannot be transferred on the ground of the previous adequacy decision made by the EU Commission. This means that now data transfers must have another legal ground like the Standard Contractual Clauses (SCC) or the Binding Corporate Rules (BCR).

    The European Data Protection Board (EDPB) issued a FAQ on the implication on GDPR compliance of the ECJ solution and stated that the data controller must take additional measure to ensure the same level of protection of personal data assured by GDPR: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

    The main issue is that the US data controllers are forced to comply with US law which prevails over Standard Contractual Clause. The EDPB concluded stating that the data controller should consider storing or processing data elsewhere than the US.

    You can process personal data outside of the U.S. if you use cloud providers which have servers in the European Union - all the major providers like Amazon AWS, Google Cloud, Microsoft Azure, and others have that option. 

    You can find more information about data transfer here:3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

    You can consider enrolling in our free EU GDPR Foundations CourseEU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//

  • Internal audit

    According to the ISO 13485:2016, requirement 8.2.4 Internal audit states that the organization must conduct internal audits at planned intervals. The purpose of an internal audit is to determine whether your quality management system conforms to both all documented arrangments, requirements of the ISO 13485:2016, and all other applicable regulatory requirements. So, yes, you need to perform another internal audit to assess the compliance with MDR. 

    For more information on how the internal audit should be performed, please see following articles: 

    You can even see which documents our ISO 13485:2016 Internal audit documentation toolkit have:

Page 313-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +