Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Streamlining OHSMS

    Some smart ways of streamlining the OHSMS is to systematically work through the standard. If you are not using a toolkit that guides you through the implementation, then it is best to go through the ISO 45001 standard in order from clause 4 through 10 as it is in a fairly good order to understand the OHSMS. The only thing that is out of place is that you will want to set the process for documentation control (clause 7.5) first so that you have the rules for recording procedures and records as you go through.

    The other thing to keep in mind is to think about what you already have in place that could meet the requirements of the standard as you work your way though. If you are meeting your OH&S legal requirements you will likely have many processes already in place that might either completely, or partially, meet the standard requirements. It is also helpful to ensure that you think about what documentation you actually need instead of just trying to document everything. Simple and concise documentation will be more helpful that complicated and confusing procedures.

    You can learn more about OHSMS implementation in our free download: Diagram of ISO 45001 Implementation Process, https://info.advisera.com/45001academy/free-download/diagram-of-iso-45001-implementation-process

  • Calibration Requirements

    As ISO 17025 applies to accredited calibration laboratories, they need to meet all the relevant requirements of the standard, other than only applicable for testing laboratories.

    I am not sure I understand fully your reference to a “calibration recall list”. There is no defined recall list as may apply to regulated products released to end users.

    Firstly the calibration laboratory must ensure the validity of the service to a testing laboratory before they accept the work. Before calibrating any testing laboratory equipment, a calibration laboratory needs to ensure that all their equipment used in that calibration meets the requirements of ISO 17025, as well as your performance specification as a customer. This includes metrological traceability to international units for all equipment used. They must make their Calibration and Measurement Capability (CMC) known, upfront. This means that following a documented process, they can express the capability of calibration and measurement to be performed for you, through a statement of uncertainty.

    If however, the laboratory discovers non-conforming work that was released by them, the process to address this is the same as for testing laboratories. They need to base decisions on risk, evaluate and make a decision about the significance of the deviation, and make a decision regarding action to be taken. The ISO 17025 requirement is that the customer will be informed. If necessary, work must be recalled.

    The following may be useful to you:

  • Some Information regarding ISO 13485 and ISO 9001

    Yes, the manufacturing of surgical masks must lie under the scope of ISO 13485.

    There is a difference between ISO 9001:2015 and ISO 13485:2016, and by implementing the ISO 9001 not all requirements for the manufacturing of medical devices will be fulfilled. It is not a question of preference, but what the legal regulations are and what requirements must be met in order for a medical device to comply with its regulations. ISO 13485:2016 is a standard that is specific for Manufacturers of medical devices (Medical devices — Quality management systems — Requirements for regulatory purposes). Besides that, on the web pages of the European Commission are stated which standards are applicable for all types of medical devices:  https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/medical-devices_en 

    On that list, which has around 300 standards, only ISO 13485:2015 is the standard for the quality management system.

    For more information on this topic, please see the following articles:

    • Similarities and differences between ISO 9001:2015 and ISO 13485:2016 https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/
    • What is ISO 13485? - https://advisera.com/13485academy/what-is-iso-13485/
    • How to get ISO 13485 certified? - https://advisera.com/13485academy/iso-13485-certification/
    • Checklist of ISO 13485 implementation and certification steps - https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

    • Risk Assessment Table

      Please note that ISO 27001 objective is the protection of information, regardless of its format and where it is.

      Considering that, you need to evaluate your situation not by what you do, but by how it impacts the information you want to protect (in this case I'm assuming it is the data you access remotely).

      In your stated scenario, the loss of utility power may impact availability of processed information in the following ways:
      - an unauthorized person may have access to your facility an damage the equipment you use to remotely process data, so when utility power is back you cannot resume the work.
      - during the power loss, you cannot provide processed information

      In these cases, you need to consider how the UPS and generators affect your operational capacity to maintain the remote process of information. Basically, all these risks are actually related to availability of information, which is part of the C-I-A triad

    • ISO 9001:2008 vs ISO 9001:2015 risk analysis

      I recommend keep the old risks in the register and add the new risks. What must be updated is the columns in the register about, for example, probability, severity and result. If corrective actions were taken and were effective either probability was reduced or either severity was reduced or both.

      You can find more information below:

    • ISO 9001 sales metrics

      I recommend organizations to see sales as a process in order to develop metrics.

      For example, about the outputs:

      • Sales revenue (total or per line of product/service)
      • Number of complaints
      • Number of clients lost
      • Number of clients won
      • Average price

      For example, about the process:

      • Rate of successful proposals
      • Average time to proposal
         

      You can find more information below:

    • Statement of Applicability

      1 - My understanding of the SOA is that it lists the 114 controls of Annex A. An organization should select the controls that are ‘applicable’ to safeguard the assets that are in the scope of the organization's ISMS. Is this correct?

      There is something I do not understand. The above makes sense if the SOA only applies to 1 asset (for example, a single business system). In this example, 112 out of 114 controls might be applicable. But what happens when you add more and more assets? The 2 controls that are not applicable for the first asset might be applicable for the other assets – eventually, you just end up saying that all 114 controls are applicable and therefore the SOA does not really have much value at this point?

      When you add more assets, in fact, the number of applicable controls will increase, but from our experience with our customers, smaller companies are usually at ca 100 controls, while larger ones are usually above 110.

      For example, for companies that use only Commercial off-the-shelf (COTS) software, there is no need to apply control A.9.4.5 Access control to program source code, because there wouldn't be source codes in the organization.

      Please note that the Statement of Applicability purpose is not only to list the applicable controls, but also to provide justification for applicable controls (e.g., needed to treat risk, needed to fulfill a legal requirement, etc.), a justification for non-applicable controls, and the implementation status of the applicable controls. This information can be used to summarize an organization's approach to protect the information and to guide auditors during audits.

      For further information, see:

      2 - My other question is around risk assessments. If all 114 controls are applicable for a system, does that mean our risk assessment has to cover all 114 controls? Or would a better way be to do a ‘compliance assessment’ to verify which of the 114 controls are applicable and which of those controls are implemented and working effectively and then document the risks based on the control gaps?

       Please note that for ISO 27001 risks and requirements lead to controls applicability, not the other way around.

      Considering that, you do not need to identify risks to justify the applicability of all 114 controls, only the controls that are relevant to your organization.

      What you could do in the next regular risk review (e.g. in 6 or 12 months time) is to include the risks that you realized were missing from your existing risk assessment.

       This article will provide you a further explanation about risk assessment and risk treatment:

      This material will also help you regarding risk assessment and risk treatment:

    • Assessment/Treatment Methodology

      The list of legal, regulatory, and contractual or other requirements summarizes all requirements, interested parties, and responsible persons for complying with requirements that must be fulfilled by the ISMS.

      An example of how to fill in the List of Legal, Regulatory, Contractual, and Other Requirements, is this scenario:

      A customer has a service level agreement with your company which defines, on clause 32-b, that in case of a disruptive incident, access to information system ABC must be restored to at least 30% of normal capacity in no more than 24 hours. In this case, the person responsible for system ABC is responsible to ensure compliance of the system to this requirement. Then your document would be like this:

      Interested party: Customer Jon
      Requirement: Clause 32-b (recovering access to system ABC to at least 30% of normal capacity in no more than 24 hours)
      Document: Service level agreement
      Person responsible for compliance: System ABC administrator
      Deadline: 24 hours after the occurrence of disruptive incident which makes access to system ABC unavailable

      To see how a list of legal, regulatory and contractual or other requirements looks like, please take a look at the free demo of our List of Legal, Regulatory, Contractual and Other Requirements at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/

      This article will provide you a further explanation about the list of requirements:

    • ISO 22301 Accreditation

       PECB does not require a specific set of courses or curriculum of study as part of the certification process, so self-study or third party training are optional. If you go for training, the completion of a recognized PECB course or program of study would be a better approach.

      For further information, see: https://pecb.com/en/examination-rules-and-policies

    • Online internal audit

      Thanks and noted but my query was related to online Internal Audit. Also i would like to inform in India one online external audit was performed. if you required, i can give you details. 
Page 322-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +