Search results

Surveillance audit

Certification contracts are valid for three years. After the certification audits, there are yearly surveillance audits.

Surveillance audits are mostly about checking if your management system is working as designed. So, pay special attention to your records. Are all the incidents being recorded? Measurements, complaints, corrective actions, non-conformities, internal audits, and management review, etc. Remember, if your organization had any minor non-conformity or observations during the certification audit, be sure that auditors will look into those issues with special care to confirm that actions were taken and close those nonconformities.

Surveillance audits will take less time to perform than the original certification audit. Auditors are not so much concerned with the quality management system design, but with its maintenance. I cannot tell you what auditors will ask but I can assure you that they will start each time by looking at your key activities (such as management review, internal audit, corrective actions and complains treatment), and will then only look at some of the remaining parts within your management system.

You can find more information below:

• What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
• Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
• ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-lead-auditor-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Inability of reaching the work place due to lockdown

A laboratory needs to address the risk of the event you describe. To answer your question, I would like to pose a few more questions - what does the signature of an authorised signatory on a report mean? What are they acknowledging or committing to, with their signature? Is it a solution for the laboratory to send the signatory the reports (hardcopy or electronic) for signature, away from the laboratory ?

How this situation is handled depends on a number of factors. You need to look at the consequence and implication of deviating; and see if a temporary or alternative arrangement can be made.  Firstly consider context depending on the sector. It will depend on the purpose  - the need of the customer (what the results are being used for) Consider if there are legislative requirements to be met for releasing of results? Can an interim result be released under the circumstances, if deemed suitable and this is included in a signed agreement ? Note that looking at the reporting step, the standard accommodates an agreement with the customer to report results in a simplified way. This does not however address the authorisation to release results.

Secondly consider issues in terms of accreditation, i.e. claiming technical competency for the result released on a report with the accreditation mark. One must also consider that the authorised signatory (or technical signatory) is a role with associated responsibilities required by the accreditation body for testing and calibration laboratories. The accreditation body requirements must be met. What ISO 17025 requires is that the laboratory has competent, authorised personnel, that the validity of results is ensured and that results are reviewed and authorised before released. The standard does not prescribe how the laboratory must achieve this, for example for an authorised signatory to wet sign a report. Whoever performs this role is signing that they are confident that the results are valid, that the management system is in control, with all the process, controls and checks in place. To do this they need access to all the necessary information and data for the result as a well as quality control and monitoring data for internal and external quality evaluation, in order to release results. If pandemic restrictions means that the signatory is not physically in the laboratory, they may be able to sign offsite, as long as they acknowledge the responsibility, are aware of the risks and meet the extra or temporary controls in place.  This could include having and recording discussion with personnel who performed the actual tests, prior to release.  Another control could be for the authorised signatory to perform some verification checks on return to the laboratory.

For further information on Ensuring the Validity of results, and reporting requirements, have a look at the ISO 17025 toolkit preview of the Quality Assurance Procedure at https://advisera.com/17025academy/documentation/quality-assurance-procedure/ and the Testing Report Procedure at https://advisera.com/17025academy/documentation/testing-report-procedure/

Data Protection Matrix

You need to make an inventory of data processing, for each process you need to identify the lawful basis for data processing, the information given to the data subject, the risk for freedom and rights of the data subject, the security measure taken, and the data retention period.

You can use our Data Mapping and DPIA Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-data-mapping-dpia-toolkit/

You can consider enrolling in our free EU GDPR Foundations Course

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• ISMS Risk Assessment & COSO Enterprise Risk Management

  Is there anyone who has implement COSO ERM and ISMS together? Can you use COSO ERM to do ISMS risk assessment? Can someone share how it is being implemented? Do you use any tools?

  Can ISMS use its own risk assessment methodology and approach that is different from COSO ERM?

   

• EMS and Environmental Compliance Software

  I hope I understood your question. Any EMS must be aware of compliance obligations and its changes. I use an Environmental Compliance Software in my work. It allows me to identify environmental legislation changes, its content and applicability.

  You can find more information below:

  • How to create an ISO 14001 list of legal and regulatory requirements - https://advisera.com/14001academy/blog/2019/11/04/iso-14001-legislation-checklist-how-to-create-it/
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

• Quality in production and warehousing

  Production, packaging and warehouse for finished products is mainly treated in clauses 8.5, 8.6 and 8.7 of ISO 9001:2015 in things like is concerned with:

  • Specifications for products/services
  • Quality control plans
  • Process control plans
  • Work instructions describing what to do
  • Monitoring resources requirements
  • Specifications for equipment and working environment
  • Competency requirements for people
  • Process validation requirements, if applicable
  • Identification and traceability, if applicable
  • Handling of materials belonging to customers and other outside parties
  • Preservation and protection of products
  • After sales guarantees
  • Quality control activities
  • Treating of nonconformities
     

  You can find more information below:

  • ISO 9001:2015 clause 8.5 Product realization – Practical examples for compliance - https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ - where I extensively use the process approach.
     

• Steps in validation of documents

  As far as I understand your question, top management must determine who has the authority to approve each document relevant for the quality management system.

  So, validating a QMS document requires its approval by an authorized person. Please consider this article - Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/ - with the main steps for controlling documents

  You can find more information about documents and records below:

  • How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
  • New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• Interested party

  Organizations exist to serve interested parties. While trying to do that, organizations are constrained, helped or hindered by other interested parties. So, organizations have to consider and manage what each interested party need or expect in order to meet expected results and minimize risks.

  You can find more information about interested parties below:

  • Understanding the needs & expectations of interested parties in ISO 14001 - https://advisera.com/14001academy/blog/2017/04/03/understanding-the-needs-expectations-of-interested-parties-in-iso-14001/
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
     

• ISO 14001 Internal Audit

  I would verify if:

  • all clauses of the standard were audited;
  • there are evidences of the internal auditor’s competency;
  • all nonconformities raised were closed; 

  You can look for more information below:

  • Using internal audits to drive real improvement in ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/using-internal-audits-to-drive-real-improvement-in-iso-140012015/
  • Enroll for free in ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

• Is it a requirement that you perform simulations on your Contingency Plans?

  IATF 16949: 2016 standard 6.1.2.3 e) says "periodically test the contingency plans for efficiency (eg simulations as appropriate)".

  Also in article c) "prepare contingency plans for continuity of supply in the event of any of the following: key equipment failures (also see Section 8.5.6.1.1); interruption from externally provided products, processes, and services; recurring natural disasters; wastage; utility interruptions; labor shortages; or infrastructure disruptions".

  In the following case, for the cases specified in article c); testing or simulation is mandatory. The organization can determine the frequency of testing or simulation according to the risk and its impact on the customer.

  So, at least for all cases, you can test or simulate once; then you can determine the frequency according to the results, risk.