Search results

Determining risks and opportunities

I recommend starting with determining the context. For the internal issues, think about that kind of issues systematically arise in the reports and internal meetings (complaints, successes, costs, customer satisfaction, performance indicators, ...). Classify the positive internal issues as strengths and the negative internal issues as weaknesses.

I use the PESTLE analysis framework in order to support the discipline of questioning the mind around various areas that may affect an organization (politics, economics, social, technology, legislation and environment) to determine external issues. After the PESTLE analysis I recommend collecting positive external issues as opportunities and negative external issues as threats and organize the information in a SWOT matrix.

Then you can combine strengths with opportunities or with threats, or combine weaknesses with opportunities or with threats, and from those combinations see if you can determine risks or opportunities.

Below you can see some examples of application of this methodology:

I describe this methodology in more detail in this free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/

You can find more information in the following links:

• How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples –https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Reducing number of documents for review

If I understand your question correctly, you asked how to reduce the number of documents from the ISO 13485:2016 that you need to prepare for your Quality management system.

There are certain points from requirements 6, 7, and 8 that can are not applicable for each manufacturer. 

For example, if your medical device is not sterile, then requirements (and all applicable documentation) 7.5.5 Particular requirements for sterile medical devices and 7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems are not applicable for you.   

If your medical device does not require installation and service, then requirements 7.5.3 Installation activities and 7.5.4 Servicing activities and all applicable documentation is not applicable for your Quality management system, so you do not need to prepare it.

List of mandatory documents for ISO 13485:2016 you can find in the following link:

• List of mandatory documents required by ISO 13485:2016 https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/

   

• Detailed chain of custody from a lab accredited ISO17025

  I will address your question generally in terms of a basic contract agreement and specifically in terms of the requirements an ISO 17025 laboratory should meet for their accreditation. At this point, both parties should clearly define the problem – what you are asking and for what reason and why and for what reason they are saying they cannot assist?

  The scope and requirements of the service should have been very clear before testing commenced. If it was not requested by  yourself upfront and not advertised by the laboratory as part of their normal service, the laboratory may not be able to provide evidence of the specific chain of custody of your receipt sample. This may be due to confidentiality and basic operational (batching) limitations. What the laboratory is responsible for is to manage the risks and requirements for handling of your sample, ensure unique identification and have a system in place to ensure traceability of that sample from testing through to reporting, They need to ensure that your interests are protected through their management system; ensure the technical validity of your results and data integrity.

  This brings me to the addrressing your concern. The laboratory is required to have a documented process to handle complaints and make a description available to you. I suggest you state the exact problem. If for example results deviated from other laboratories, you could perhaps request a retest. I suggest you ask both laboratories what the measurement uncertainty is for their method and to explain the reason for the deviation to you.  If you are concerned there was a gross mix-up and the result is not that of your sample, start by checking if the number or name you identified your sample appears on the issued report. If correct, you can at least request a photograph of your retained sample, to verify the lab identification number. Alternatively, you could request access to relevant areas to check the receipt label on your retained sample. Ask them to provide the details and verify in writing that there is traceability of your sample from receipt to reporting, for example registration verified, what the batch number was, analysis date.  Furthermore you can ask the laboratory to provide some evidence to verify the quality assurance requirements were met for the batch that your sample was part of. You can also request return your retained sample.

  In summary the laboratory must meet specified contractual obligations, handle your sample suitably, deal with your complaint as per procedure and cooperate with “reasonable” requests (that do not put any management system activities at risk). If the laboratory blatantly refuses to cooperate, your recourse is to report them to their ISO 17025 accreditation body. You can find the details on their ISO 17025 accreditation certificate.I trust however, that the issue will be resolved, once the purpose and reasons are understood by both parties.

  You may be interested, for reference, to have a look at the following articles:

  • What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/
  • Six key benefits of ISO 17025 implementation at https://advisera.com/17025academy/blog/2019/10/18/six-key-benefits-of-iso-17025-implementation/
     

• Can aflatoxin be accredited using ELISA?

  I gather from your question that your laboratory is already accredited?  Adding any test method to a scope of accreditation involves ensuring that all the ISO 17025 resource requirements (clauses 6.1 to 6.6) and process (clauses 7.1 to 7.11) are met for the particular test.

  The laboratory should perform a full risk and opportunities analysis related to introducing any new test. For ELISA Assay Kits, you need to ensure that the most suitable technique (e.g. Sandwich versus Competitive ELISA) and applicable kit is used for the type of aflatoxins of interest. The laboratory must ensure that the method performance required for the purpose of the test is met. For example the test will only provide a total aflatoxin result for the aflatoxin antibodies used in a competitive ELISA test.

  It crucial to use a suitable kit produced by a reputable company, with published validation an performance criteria. Then the laboratory will need, as with all tests, to validate the method inhouse before use. Remember that depending on the matrices, interferences must be addressed as ELISA test methods are not suitable for certain matrices, for example strong colour and flavours in concentrated additives.

  The reply to a similar topic in the 17025 Expert Advice Community may provide some more support.
  Have a look at Methods verification at https://community.advisera.com/topic/methods-verification/

  
  The ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ can assist further. It includes the procedure for validation and verification of methods, named Test and Calibration Method Procedure, along a Test Method Development, Verification and Validation Register and Test Method Development, Verification and Validation Record. The techniques for method validation are listed as well as the required records.

  It is the responsibility of the laboratory to choose the suitable technique, plan experiments, reference sector specific guidelines and meet specific regulatory and accreditation body requirements. The procedure is also available separately at https://advisera.com/17025academy/documentation/test-and-calibration-method-procedure/

• IATF 16949:2016 Training

  As stated in IATF 16949: 2016 standard 7.2.3 f) ‘’Maintenance of and improvement in internal auditor competence shall be demonstrated through f) executing a minimum number of audits per year, as defined by the organization ''.

  The minimum number of internal audits to be performed should be determined by the organization. Performing 1 audit annually may be a risk for the knowledge and practice of internal auditors.

  If such a situation is present, my advice is that you can develop the relevant internal auditor with internal training and can conduct its first audit with an experienced auditor. If you indicate these points that I recommend in your internal audit procedure, it will be effective for the system.

  For more information, please read the following article:

  • Requirements for competence of IATF 16949 internal auditors https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/

  • Duration of ISO 14001 implementation

    According to Advisera’s experience, companies using our ISO 14001:2015 Documentation Toolkit normally take this time:

    • Companies of up to 10 employees - up to 3 months
    • Up to 50 employees - 3 to 6 months
    • Up to 200 employees - 6 to 10 months
    • More than 200 employees - 10 to 20 months 

    You can find more information below:

    • Free webinar on demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
    • List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
    • ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
    • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

  • GDPR queries

    What is the prime difference between ROPA & PIA?

    I assume that for ROPA you mean Record Of Processing Activities under Article 30 GDPR and PIA as Privacy Impact Assessment which is another way to name Data Protection Impact Assessment DPIA under Article 35 GDPR.

    If so, ROPA can be seen as a consequence of PIA. PIA is crucial to apply the principle of Privacy by design in your organization. You need to evaluate the process according to the GDPR principle, assess risks, and then establish how your data processing will be carried out. ROPA, therefore, is the result of processes selected as compliant to privacy by design and other data processing principles that have been considered and assessed in PIA.

    While assessing a vendor, once I am done with the Information Risk Assessment Questionnaire, how would I be able to identify if I have to proceed with ROPA or PIA?

    PIA and ROPA are two different activities. Therefore, you need to assess risk with PIA, select the most compliant process, and then record them in ROPA.

    I have created ROPA and PIa questionnaires and added below sections; do these make sense or am I missing out on something?

    ROPAContact InformationBasic information on processing and responsibilityData CollectionPurpose and legal basis of data processingData transfers and recipientsStandard period for data erasureMeans of processingGroups with access authorization (simplified authorization concept)Technical and organizational measures (Art. 32 GDPR)Data portability

    PIABusiness / Project InformationGeneral InformationAttributes of the Data (use and accuracy)Sharing PracticesNotice to Individuals to Decline/Consent UseData sharingAccess to Data (administrative and technological controls)Privacy AnalysisRetention and Deletion

    Article 30 GDPR list the requirement of ROPA for the controller in paragraph 1 and for processors in paragraph 2. You are missing the categories of data subjects, the suitable safeguards adopted in case of transfer of data in third countries.

    Article 35 par. 7 GDPR requires for PIA at least:

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
  • the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

  In your questionnaire, it seems that the assessment part and evaluation of risk are missing unless the title of section includes it. Remember to identify the data subjects and evaluate the risk of freedom and their rights.

  Here you can find more information:

  • ART 30 GDPR: https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/
  • ART 35 GDPR: https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/
  • 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

  We developed some EU GDPR document template that might be helpful:

  • Data Protection Impact Assessment Methodology: https://advisera.com/eugdpracademy/documentation/data-protection-impact-assessment-methodology/
  • DPIA Register: https://advisera.com/eugdpracademy/documentation/dpia-register/
  • Inventory of Processing Activities: https://advisera.com/eugdpracademy/documentation/inventory-of-processing-activities/

  You can also consider enrolling in our free EU GDPR Foundations Course

  • EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// 

  • Doubts regarding the policy, scope ISO 27001:2013

    I would like to know how I can consider doing my company's procedures if 95% of my infrastructure is on AWS.
    For example, I wanted to think about whether AWS can share their SOA with me to learn about their goals and rationale for controls and align them with those of AWS.
    The only computers that are in the facilities are the PCs and all access via VPN to AWS.

    Regarding the ISMS scope and policies, you only need to focus on the part of the cloud infrastructure that you have direct control over (this will depend on the contracted cloud service - i.e. you would include data for SaaS, or data and application software for IaaS.).

    Examples of what needs to be done within the company are: security training and awareness, access control (defining who has the access, periodic review, etc.), etc.

    The part controlled by AWS you can handle through controls from section A.15 - Supplier relationships. In short, you need to identify the relevant risks related to the infrastructure controlled by AWS and check if the way they handle such risks is acceptable for your organization, and are properly documented in the Terms of Service. For that your understanding is correct, you can ask for the AWS SoA, so you can evaluate the applied controls, and check if they are included as security clauses in the Terms of Service. 

    You'll find a more detailed explanation here:

    • Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
    • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
    • Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

  • Scope of ISO 9001 and ISO 27001 integrated management system

    Please note that neither ISO 9001 nor ISO 27001 prescribe how to elaborate documents, so organizations are free to create them as best fit their needs.

    Considering that, both approaches (separate documents or integrated into your manual) are acceptable by these standards.

    Decision criteria you may use is the effort to keeping separate documents versus the size and complexity of a single manual.

    This article will provide you a further explanation about elaborating documents:

    • 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

    This material will also help you regarding document management:

    • Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Internal audit options

    Internal audit can be performed by the organization's own employees, provided they have the competence and do not audit their own work. Or you can contract a third party to perform the audit (unfortunately, we do not provide such kind of service).

    As for to chose a third-party to perform the audit, you should consider at least these criteria

    • Experience and skills
    • Reputation
    • Understanding about your industry

    These articles will provide you a further explanation about internal audit:

    • How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    • Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
    • 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/

    These materials will also help you regarding internal audit:

    • ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    • Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
    • List of questions to ask your ISO 27001/ISO 22301 consultant (MS Word) https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-iso-22301-consultant