Search results

ISO Log Retention

ISO 27001 does not prescribe keeping maintenance logs.

For ISO 27001, the need to keep logs is defined by the results of risk assessment and applicable legal requirements, and also by the need to prove to auditors that security processes are being performed. These are the elements that will help you define which information must be logged, as well as for how long.

These articles will provide you a further explanation about logging:

• Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
• Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

This material will also help you regarding logging:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Corrective and preventive action

As far as I understood your question you presented this scenario:

I can add more information:

ISO 9001:2015 no longer mentions preventive action. So, will only speak about corrective action. Go back to your production and raise a corrective action request. Start by stratifying the defects type. Use, for example, a Pareto Chart. For the more common defects try to find the root cause(s).

You can find more information below:

• Article - ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
• Article - How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
• Article - How to proceed once a QMS corrective action is defined? - https://advisera.com/9001academy/blog/2016/09/20/how-to-proceed-once-qms-corrective-action-is-defined/
  Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Choosing certification

Unfortunately, Advisera’s scope of work is around management systems not product certification. So, I cannot tell you which certifications are needed in each country. If its your first experience of exporting outside Asia, I would rather start with one market, perhaps the less difficult to penetrate. Find certifications required, apply and enter the market. In more mature markets it may be useful to add a management system certification for quality and/or environment. For example, in Europe I see a lot of manufacturers for mature markets applying for ISO 14001 certification to cater clients and consumers that value that message.

Please check this information below with more detailed answers:

• 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
• ISO 14001: The benefits for customers - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/
• Project checklist for ISO 14001 implementation - https://info.advisera.com/14001academy/free-download/project-checklist-for-iso-14001-implementation
• ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Roles and responsibilities of QMS coordinator

With ISO 9001:2015 there is no longer a mandatory requirement for the existence of a function as Management representative or Coordinator for QMS 9001:2015. So, each organization is free to decide to have such a function and to design roles & responsibilities. As a suggestion I invite you to look for ISO 9001:2015 clause 5.1.1 and think about how you can help top management performing their duties with the management system. Other suggestion varies according to the size of the organization and its organization chart. For example, supervise:

• corrective actions
• management review, audits and performance monitorization
• documents and records control

You can find more information below:

• What will be the destiny of the management representative in the new ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
• Choosing the best person for the job quality management representative: https://advisera.com/9001academy/blog/2014/06/03/choosing-best-person-job-quality-management-representative/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Integrated approach of ISO 13485 and ISO 9001

1.An Integrated approach of ISO 13485 and ISO9001 What should be focused on considering these 2 standards (These will be audited separately). For integrated approach, I am following Anenxure B of ISO 13485

Yes, for integrated part you can follow Annex B of the ISO 13485:2016 standard. Be focused on the following:

To strictly defined and state in Quality manual which requirements from ISO 13485:2016 are not applicable for your process and medical device. For example, if your medical device is not sterile, then requirements 7.5.5 Particular requirements for sterile medical devices and requirement 7.5.7 Particular requirement for validation of processes for sterilization and sterile barrier systems are not applicable for you.

There are certain requirements in the ISO 13485 that need to have documented procedures, while there are no such strict requirements in the ISO 9001:2015. For example, you need to make a documented procedure for purchasing (requirement 7.4.1), the procedure for validation (7.5.6), the procedure for identification, and traceability (7.5.8 and 7.5.9).  

For more information what ISO 13485 is, please see the article on the following link:

• What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/

For more information about Similarities and differences between ISO 9001:2015 and ISO 13485:2016, please see the article on the following link: https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/

2. How to pass ISO 9001 stage 1 and stage 2 audit?

To pass ISO 9001 stage 1 and stage 2 audit, your organization must have a quality management system designed according to ISO 9001:2015 requirements and must be implemented and followed.

3. A Regulatory procedure and form is required that will meet both the standards requirements

You can add in your Quality manual cross-reference table for your Quality management system between ISO 9001:2015 and ISO 13485:2016.

DPO, e-mail and transfer of data to third countries

If your company is under German law, you will apply German law and GDPR towards all your data processing activities no matter where your employees are located.

From a GDPR point of view, data processed by employees must comply with GDPR requirements wherever your employees are located. Therefore, you should consider your employee as a German or EU employee and require following the same data policy of your organization. This happens because GDPR compliance is an obligation of the data controller who must assess that everyone in its organization complies with it.

There are other aspects of the employment agreement (wage, illness, social security) which may differ from country to country, and for those, you should check with a labor lawyer.

ISO 9001 Paper procedures

Yes, you are right. Please check ISO 9001:2015 clause 7.5.3.2 a). Organizations should have a way of controlling distribution of, or access to, relevant quality management system documents. If documents are on paper, I recommend using a matrix that relates document identification, version, location and who has access to it. If documents are on a digital support, I still recommend the use of a matrix to relate document identification, version, and who has access to it. This is critical to ensure that paper documents are updated whenever there is a change in version and that people is informed of the change (for paper and digital documents).

You can find more information below:

• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
   

Recommendations regarding EU-US Privacy Shield

What recommendations would you suggest for a small/medium-sized business in light of the recent decision by the ECJ regarding the EU-US Privacy Shield?

The recent decision of the European Court of Justice (ECJ) has a huge impact on data transfer between the US and the EU. You cannot transfer data based on the decision of adequacy of the US Privacy Shield. Therefore, you need to find another legal ground for data transfer. Standard Contractual Clauses can be a solution.

The European Data Protection Board (EDPB) issued a FAQ on the implication on GDPR compliance of the ECJ solution and stated that the data controller must take additional measure to ensure the same level of protection of personal data assured by GDPR: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

The main issue is that the US data controllers are forced to comply with US law which prevails over Standard Contractual Clause and Binding Corporate Rules (which is a solution for large companies and in some case medium-sized companies).

The EDPB concluded stating that the data controller should consider storing or processing data elsewhere than the US. 

You can find more information about data transfer here:

• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

You can consider enrolling in our free EU GDPR Foundations Course

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• OBS recommendations

  Now I understand your context much better.

  First, find a way of incorporating your own QMS’s definition of OBS in your internal audit procedure and how to handle them, to avoid an NC during the 3rd part audit.

  Second, with findings raised in your internal audit, you identified several “fruits” that you want to improve, but in your second question I believe you identified two important root causes that can help improve your QMS situation (I use the term root cause here as important NC):

  • QMS did not fully implement
  • Employees not fully aware of QMS and ISO 9001 req's

  You could have raised these two NCs making the 18 findings as evidence that support their existence.

  While your organization has to close those 18 findings, what can also be done to improve implementation and employee’s awareness about QMS and ISO 9001 req's? Employees don’t need to know everything about QMS and ISO 9001 req's, try to make a matrix about the relationship of employees, or groups of employees, or departments and QMS and ISO 9001 req's. Who can influence them? Whom they trust? What can be the benefits for them with certification? Please check if you can find any ideas here:

  • Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
  • What are the benefits of ISO 9001 for your employees? - https://advisera.com/9001academy/blog/2016/06/14/what-are-the-benefits-of-iso-9001-for-your-employees/"