Search results

ISO 9001 design and development

Perhaps each big engineering equipment is made to order according to specific customer needs. Validation can be done through simulations and testing under intended user conditions or, for example, during installation with tests. For example, When I worked in the chemical industry my company ordered equipment, a chemical reactor for example, during installation I remember doing water-pressure tests and shaft rotation tests to confirm safety and performance.

The following material will provide you more information:

• The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
• About conducting design and development reviews consider - ISO9001 Design Verification vs Design Validation - https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/
• ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Clause 4.1 internal and external issues

We received this question:

Thanks Rhand, for our readiness assessment the external auditors issued a finding that we did not explicitly define a policy/procedure describing the context of the organization,  they went on further to say we should determine if any internal and external issues would impact the intended outcome of the ISMS.

You guys are saying we do not need to document the context of the organization but we should have a procedure to check internal and external issues.

What I am going to do is add internal and external issues to our yearly compliance check with a step to ensure we determine whether any of these issues impact the intended outcome of the ISMS. Do you think this is sufficient?

Answer: Regarding your proposed solution, adding an internal and external issues to your yearly compliance check would be sufficient to meet standards requirements.

Please note that it is not a matter that "You guys are saying we do not need to document the context of the organization...", but that the ISO 27001 standard itself does not require such documentation. Considering the standard, the issue raised by the external auditors is at most an opportunity for improvement (not a nonconformity).

 As a suggestion, you should politely ask your external auditors for clarification about which clause part of the standard requires a policy/procedure describing the context of the organization.

For further information, see: Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/

ISO Log Retention

ISO 27001 does not prescribe keeping maintenance logs.

For ISO 27001, the need to keep logs is defined by the results of risk assessment and applicable legal requirements, and also by the need to prove to auditors that security processes are being performed. These are the elements that will help you define which information must be logged, as well as for how long.

These articles will provide you a further explanation about logging:

• Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
• Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

This material will also help you regarding logging:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Corrective and preventive action

As far as I understood your question you presented this scenario:

I can add more information:

ISO 9001:2015 no longer mentions preventive action. So, will only speak about corrective action. Go back to your production and raise a corrective action request. Start by stratifying the defects type. Use, for example, a Pareto Chart. For the more common defects try to find the root cause(s).

You can find more information below:

• Article - ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
• Article - How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
• Article - How to proceed once a QMS corrective action is defined? - https://advisera.com/9001academy/blog/2016/09/20/how-to-proceed-once-qms-corrective-action-is-defined/
  Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Choosing certification

Unfortunately, Advisera’s scope of work is around management systems not product certification. So, I cannot tell you which certifications are needed in each country. If its your first experience of exporting outside Asia, I would rather start with one market, perhaps the less difficult to penetrate. Find certifications required, apply and enter the market. In more mature markets it may be useful to add a management system certification for quality and/or environment. For example, in Europe I see a lot of manufacturers for mature markets applying for ISO 14001 certification to cater clients and consumers that value that message.

Please check this information below with more detailed answers:

• 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
• ISO 14001: The benefits for customers - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/
• Project checklist for ISO 14001 implementation - https://info.advisera.com/14001academy/free-download/project-checklist-for-iso-14001-implementation
• ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Roles and responsibilities of QMS coordinator

With ISO 9001:2015 there is no longer a mandatory requirement for the existence of a function as Management representative or Coordinator for QMS 9001:2015. So, each organization is free to decide to have such a function and to design roles & responsibilities. As a suggestion I invite you to look for ISO 9001:2015 clause 5.1.1 and think about how you can help top management performing their duties with the management system. Other suggestion varies according to the size of the organization and its organization chart. For example, supervise:

• corrective actions
• management review, audits and performance monitorization
• documents and records control

You can find more information below:

• What will be the destiny of the management representative in the new ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
• Choosing the best person for the job quality management representative: https://advisera.com/9001academy/blog/2014/06/03/choosing-best-person-job-quality-management-representative/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Integrated approach of ISO 13485 and ISO 9001

1.An Integrated approach of ISO 13485 and ISO9001 What should be focused on considering these 2 standards (These will be audited separately). For integrated approach, I am following Anenxure B of ISO 13485

Yes, for integrated part you can follow Annex B of the ISO 13485:2016 standard. Be focused on the following:

To strictly defined and state in Quality manual which requirements from ISO 13485:2016 are not applicable for your process and medical device. For example, if your medical device is not sterile, then requirements 7.5.5 Particular requirements for sterile medical devices and requirement 7.5.7 Particular requirement for validation of processes for sterilization and sterile barrier systems are not applicable for you.

There are certain requirements in the ISO 13485 that need to have documented procedures, while there are no such strict requirements in the ISO 9001:2015. For example, you need to make a documented procedure for purchasing (requirement 7.4.1), the procedure for validation (7.5.6), the procedure for identification, and traceability (7.5.8 and 7.5.9).  

For more information what ISO 13485 is, please see the article on the following link:

• What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/

For more information about Similarities and differences between ISO 9001:2015 and ISO 13485:2016, please see the article on the following link: https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/

2. How to pass ISO 9001 stage 1 and stage 2 audit?

To pass ISO 9001 stage 1 and stage 2 audit, your organization must have a quality management system designed according to ISO 9001:2015 requirements and must be implemented and followed.

3. A Regulatory procedure and form is required that will meet both the standards requirements

You can add in your Quality manual cross-reference table for your Quality management system between ISO 9001:2015 and ISO 13485:2016.

DPO, e-mail and transfer of data to third countries

If your company is under German law, you will apply German law and GDPR towards all your data processing activities no matter where your employees are located.

From a GDPR point of view, data processed by employees must comply with GDPR requirements wherever your employees are located. Therefore, you should consider your employee as a German or EU employee and require following the same data policy of your organization. This happens because GDPR compliance is an obligation of the data controller who must assess that everyone in its organization complies with it.

There are other aspects of the employment agreement (wage, illness, social security) which may differ from country to country, and for those, you should check with a labor lawyer.

ISO 9001 Paper procedures

Yes, you are right. Please check ISO 9001:2015 clause 7.5.3.2 a). Organizations should have a way of controlling distribution of, or access to, relevant quality management system documents. If documents are on paper, I recommend using a matrix that relates document identification, version, location and who has access to it. If documents are on a digital support, I still recommend the use of a matrix to relate document identification, version, and who has access to it. This is critical to ensure that paper documents are updated whenever there is a change in version and that people is informed of the change (for paper and digital documents).

You can find more information below:

• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/