Search results

ISMS Risk Assessment & COSO Enterprise Risk Management

Is there anyone who has implement COSO ERM and ISMS together? Can you use COSO ERM to do ISMS risk assessment? Can someone share how it is being implemented? Do you use any tools?

Can ISMS use its own risk assessment methodology and approach that is different from COSO ERM?

EMS and Environmental Compliance Software

I hope I understood your question. Any EMS must be aware of compliance obligations and its changes. I use an Environmental Compliance Software in my work. It allows me to identify environmental legislation changes, its content and applicability.

You can find more information below:

• How to create an ISO 14001 list of legal and regulatory requirements - https://advisera.com/14001academy/blog/2019/11/04/iso-14001-legislation-checklist-how-to-create-it/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Quality in production and warehousing

Production, packaging and warehouse for finished products is mainly treated in clauses 8.5, 8.6 and 8.7 of ISO 9001:2015 in things like is concerned with:

• Specifications for products/services
• Quality control plans
• Process control plans
• Work instructions describing what to do
• Monitoring resources requirements
• Specifications for equipment and working environment
• Competency requirements for people
• Process validation requirements, if applicable
• Identification and traceability, if applicable
• Handling of materials belonging to customers and other outside parties
• Preservation and protection of products
• After sales guarantees
• Quality control activities
• Treating of nonconformities
   

You can find more information below:

• ISO 9001:2015 clause 8.5 Product realization – Practical examples for compliance - https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ - where I extensively use the process approach.
   

Steps in validation of documents

As far as I understand your question, top management must determine who has the authority to approve each document relevant for the quality management system.

So, validating a QMS document requires its approval by an authorized person. Please consider this article - Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/ - with the main steps for controlling documents

You can find more information about documents and records below:

• How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Interested party

Organizations exist to serve interested parties. While trying to do that, organizations are constrained, helped or hindered by other interested parties. So, organizations have to consider and manage what each interested party need or expect in order to meet expected results and minimize risks.

You can find more information about interested parties below:

• Understanding the needs & expectations of interested parties in ISO 14001 - https://advisera.com/14001academy/blog/2017/04/03/understanding-the-needs-expectations-of-interested-parties-in-iso-14001/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

ISO 14001 Internal Audit

I would verify if:

• all clauses of the standard were audited;
• there are evidences of the internal auditor’s competency;
• all nonconformities raised were closed; 

You can look for more information below:

• Using internal audits to drive real improvement in ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/using-internal-audits-to-drive-real-improvement-in-iso-140012015/
• Enroll for free in ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

Is it a requirement that you perform simulations on your Contingency Plans?

IATF 16949: 2016 standard 6.1.2.3 e) says "periodically test the contingency plans for efficiency (eg simulations as appropriate)".

Also in article c) "prepare contingency plans for continuity of supply in the event of any of the following: key equipment failures (also see Section 8.5.6.1.1); interruption from externally provided products, processes, and services; recurring natural disasters; wastage; utility interruptions; labor shortages; or infrastructure disruptions".

In the following case, for the cases specified in article c); testing or simulation is mandatory. The organization can determine the frequency of testing or simulation according to the risk and its impact on the customer.

So, at least for all cases, you can test or simulate once; then you can determine the frequency according to the results, risk.

Difference between list of internal documents and list of type of records

The list of internal documents are all documents that you will prepare for your Quality management system (documented procedures). Records are documents that arise as a result of some work, testing, reports, and similar. 

For more information, please see the following articles:

• How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

• Observations about non-conformances

  Yes, you can add OFI (observation for Improvement) to your audit report.

  You can find more information below:

  • ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
  • Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
  • Free online training ISO 9001:2015 ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ nal-auditor-course/
  • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

• Items where most companies fail to comply with IATF standard

  This topic changes according to the size of the company and the structure of the organization. But according to my experience as a result of my audits, main problematic issues are the following:

  1. Defining contingency action plans and test/simulation results

  2. Problem-solving root cause analysis and systematic action identification and parallel of this the FMEA/control plan review/update with customer complaint management process

  3. Being able to do FMEA correctly

  4. Change Management

  5. Rework/Repair identification and risk analysis

  6. MSA application

  7. Manufacturing feasibility documentation and review for new facility and equipment

  8. General process-based risk assessment

  9. Supplier based risk assessment and supplier audit/development plan

  10. Interested party’s expectation management and to deploy the organization QMS

  11. Customer-specific requirements documentation, management, and implementation into organization quality management