Search results

ISO 9001 responsibilities and tasks

With ISO 9001:2015 there is no longer a mandatory requirement for a quality management representative. ISO 9001:2015 makes no mention of a QMS office. So, it is up to each organization to design the set of responsibilities, authorities and tasks of both a QMS office and of a QMR. If your organization decides to keep both functions read your QMS documentation, interview people and list all activities done for each function. Then, separate those where people have latitude for decision (authority) from those where people are just expected to do (responsibility).

For example, an organization may decide that a QMS office has the responsibility to receive and investigate complaints (responsibilities) but have no authority to decide what to communicate to customers (no authority).

The following material will provide you more information:

• How to document roles and responsibilities according to ISO 9001 - https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
• Enroll for free in ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - Discover ISO 9001 :2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Sampling (clause 7.3)

From your explanation, if you are testing all the materials used for an installation, then sampling requirements would not apply to your activities. Sampling covers, simply, the taking of a unit or portion of a material, substance or product from the source so that a sample can be tested or calibrated. The intent is that the sampling plan and methodology results in a suitably representative sample for subsequent testing so as to represent the measurement result of the source. As you are doing the testing, look at the risk based on what you are reporting. If the report claims the consignment of aluminium curtain walls, doors and windows used in your installation is fit for purpose, or conforms to a specification; and your laboratory only tested a portion of the consignment, then you do need to comply with Clause 7.3, sampling requirement. The standard you use may state the sampling rate (number of units tested per units in the consignment), in which case you can reference the Standard and provide recorded evidence that the requirement were complied with.

If applicable, have a look at the ISO 17025 document template previews: Sampling Procedure available at https://advisera.com/17025academy/documentation/sampling-procedure/ as well as the 2 related appendices Sampling Plan at https://advisera.com/17025academy/documentation/sampling-plan/ and Sampling Report at https://advisera.com/17025academy/documentation/sampling-report/

UDI procedure that covers the EU MDR requerment

Unfortunately, the UDI procedure is not part of our ISO 13485:2016 and MDR Documentation toolkit. According to the MDR Article 27 – Unique Device Identification system and MDR Annex 6 – Information to be submitted upon the registration of devices and economic operators in accordance with Articles 29(4) and 31, core data elements to be provided to the UDI database together with the UDI-DI in accordance with Articles 28 and 29; and the UDI system, there is no need to have documented procedure for UDI. The requirement is for the List of UDI which you have in your toolkit.  

For more information, please read the following:

• EU MDR Article 27 – Unique Device Identification system https://advisera.com/13485academy/mdr/unique-device-identification-system/
• EU MDR Annex 6 – Information to be submitted upon the registration of devices and economic operators in accordance with Articles 29(4) and 31; core data elements to be provided to the UDI database together with the UDI-DI in accordance with Articles 28 and 29; and the UDI system  https://advisera.com/13485academy/mdr/information-to-be-submitted-upon-the-registration-of-devices-and-economic-operators-in-accordance-with-articles-294-and-31-core-data-elements-to-be-provided-to-the-udi-database-together-with-the-ud/ 

For more information on the mandatory documents in the MDR, please see the following material:

• EU MDR Checklist of Mandatory Documents https://info.advisera.com/13485academy/free-download/eu-mdr-checklist-of-mandatory-documents

• Environmental areas tracking and economic impact

  Some years ago, I wrote about the "Tuning environment and strategy for the business". The idea was based on the fact that organizations want economic results and that is why they develop business strategies. Environmentally conscious organizations should try to obtain business results while complying with environmental legislation and improving its relationship with the environment.

  Simplifying reality, an organization can compete based on:

  • The lowest cost;
  • The best service;
  • The most innovative product/service.

  While developing an environmental management system an organization must determine its aspects and impacts. To evaluate aspects and impacts significance an organization must develop some criteria to give a classification based, for example, on frequency, severity for the environment, and importance for the business.
  If competition is based on the lowest cost your organization can consider as important those aspects that can increase costs. For example, hazardous waste disposal.

  If competition is based on service, your organization can consider ways of improving relationships with the environment jointly with the customers. For example, once I worked with a company that worked together with a customer to start using reusable packaging for its supplies instead of single-use only.
  If competition is based on innovative products/services, your organization can consider developing new products/services that reduce the environmental footprint of products and services throughout the life cycle as important. Allowing your organization’s brand to have a connotation of environmentally friendly.

  Please check this information below with more detailed answers:

  • 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
  • What makes an environmental aspect significant in ISO 14001? - https://advisera.com/14001academy/blog/2015/03/09/what-makes-environmental-aspect-significant-in-iso-14001/
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

• AS9100 internal audit report

  As per AS9100 Clause 9.2 your internal audit needs to confirm that you have met the requirements of the standard, as well as meeting your own internal requirements. So, in a certification audit you will need to demonstrate that your intern audits have done this. While it is not a mandate to record this as you have stated, quoting the clauses of the standard in your audit report is one common way to demonstrate this. You may also keep track of this in a different format, as long as you can demonstrate it.

  You can learn more about how certification audit works in the whitepaper: What to expect at the ISO certification audit: What the auditor can and cannot do, https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit

• ISO 9001 benefits and safety

  Perhaps presenting the story behind the appearance of ISO 9001 and how it is related to globalization and the increase of international trade.
  The more an organization needs to trust in a supplier, the more an organization wants to develop partnerships with suppliers, the more important ISO 9001 standard is as a way for ensuring that a common language can be used and understood for interfacing processes, in a world where supplier and client can be a continent away.

  The following material will provide you more information:

  • The history and future of the ISO 9000 series of standards - https://advisera.com/9001academy/blog/2019/04/15/history-of-the-iso-9000-series-of-standards-and-what-to-expect-next/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• Involving employees in ISO 9001

  As a first approach ask your top management to give the example. If top management with their agenda do not show the importance of the quality management system, it will be difficult for employees to be involved.

  As another approach translate ISO 9001:2015 requirements into benefits for employees and the organization

  • Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
  • What are the benefits of ISO 9001 for your employees? - https://advisera.com/9001academy/blog/2016/06/14/what-are-the-benefits-of-iso-9001-for-your-employees/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• Is special training necessary to get company certified to ISO 13485?

  No, I do not think that you need special training. You have to study the ISO 13485:2016 requirements that differ from the ISO 9001:2015.

  For start, I recommend you read the following article:

  • Similarities and differences between ISO 9001:2015 and ISO 13485:2016 https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/

  You can find a lot of articles in our ISO 13485:2016 Knowledge database and on ISO 13485:2016 Academy Blog.

  • ISO 13485 Knowledgebase https://advisera.com/13485academy/knowledgebase/
  • ISO 13485 Blog  https://advisera.com/13485academy/blog/

  • How do I handle the risk of control?

    1. How does one put in the risk/control of the asset?

    I have read your website in terms of implementation isms for iso27001.

    First I have classified my assets, label them, checked the risk of each.

    Now how will this relate to the iso controls?

    That I don't understand is that the iso has annex, controls and some questions (or advice)
    Because... let me take an example of an annex
    Ok, let's say employees are also an asset. So  taking the annex 7.2.2
    "Information security awareness, education and training"

    Objective
    All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.
    Does this mean one just has to educate the workers and partners on policies and then he is compliant to this annex?

    I'm understanding that you want to clarify how controls from ISO 27001 Annex A are linked to identified risks.

    Considering that, you need to identify which control's requirements best treat the risk you want to mitigate.

    In your example, you only identified the asset (employees), but let's say one identified risk is that "New employee shared his/her password because he was unaware of corporate policies". From this risk statement, you can see that the control 7.2.2 can be used to treat this risk.

    For further information see:

    • ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
    • How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
    • A quick guide to ISO 27001 controls from Annex A https://advisera.com/27001academy/iso-27001-controls/

    This material can also help you understand how to link risks to controls:

    • Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

    2. I watched one of your videos about ISO27001, whereby the speaker gave a simple method of risk assessment table. So what impact is that table having on the iso requirement?

    ISO 27001 requires a definition of a risk assessment approach to identify and analyze risks (clause 6.1.3), so this table will help fulfill this requirement (without a defined approach an organization cannot be certified against ISO 27001).

    3. Assuming I have 10 assets but 3 are having a risk but 7 are okay.... which controls of the ISO27001 is this related to?

    I'm sorry, but without information about the risks, it is not possible to provide information about which controls can be applied.

  • ISO 27001 implementation

    Primeiro é importante entender que a ISO 27001 não é mandatória para adequação a LGPD, ela pode ser utilizada como um suporte para a implmentação da LGPD.

    Considerando, isso, primeiro você deve identificar quais os requisitos da LGPD precisam ser atendidos (por exemplo, proteção das informações pessoais), e a partir daí identificar quais controles da ISO 27001 podem ser utilizados para atender a este requisitos (pode exemplo, controla A.8.2.1 - Classificação da informação).

    Uma boa ferramenta de apoio é a ISO 27701, que basicamente é a ISO 27001 especificada para proteção da privacidade. Em um de seus anexos esta norma possui um mapeamento de requisitos da LGPD a controles da ISO 27001.

    Estes artigos podem oferecer mais informações (o primeiro, apesar de ser direcionado a legislação européia GDPR, possui conceitos que também podem ser aplicados à LGPD):

    • Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/
    • A implementação da ISO 27001 satisfaz os requisitos da EU GDPR? https://advisera.com/27001academy/pt-br/blog/2016/10/18/a-implementacao-da-iso-27001-satisfaz-os-requisitos-da-eu-gdpr/