Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Is special training necessary to get company certified to ISO 13485?

    No, I do not think that you need special training. You have to study the ISO 13485:2016 requirements that differ from the ISO 9001:2015.

    For start, I recommend you read the following article:

    You can find a lot of articles in our ISO 13485:2016 Knowledge database and on ISO 13485:2016 Academy Blog.

    • ISO 13485 Knowledgebase https://advisera.com/13485academy/knowledgebase/
    • ISO 13485 Blog  https://advisera.com/13485academy/blog/

    • How do I handle the risk of control?

      1. How does one put in the risk/control of the asset?

      I have read your website in terms of implementation isms for iso27001.

      First I have classified my assets, label them, checked the risk of each.

      Now how will this relate to the iso controls?

      That I don't understand is that the iso has annex, controls and some questions (or advice)
      Because... let me take an example of an annex
      Ok, let's say employees are also an asset. So  taking the annex 7.2.2
      "Information security awareness, education and training"

      Objective
      All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.
      Does this mean one just has to educate the workers and partners on policies and then he is compliant to this annex?

      I'm understanding that you want to clarify how controls from ISO 27001 Annex A are linked to identified risks.

      Considering that, you need to identify which control's requirements best treat the risk you want to mitigate.

      In your example, you only identified the asset (employees), but let's say one identified risk is that "New employee shared his/her password because he was unaware of corporate policies". From this risk statement, you can see that the control 7.2.2 can be used to treat this risk.

      For further information see:

      This material can also help you understand how to link risks to controls:

      2. I watched one of your videos about ISO27001, whereby the speaker gave a simple method of risk assessment table. So what impact is that table having on the iso requirement?

      ISO 27001 requires a definition of a risk assessment approach to identify and analyze risks (clause 6.1.3), so this table will help fulfill this requirement (without a defined approach an organization cannot be certified against ISO 27001).

      3. Assuming I have 10 assets but 3 are having a risk but 7 are okay.... which controls of the ISO27001 is this related to?

      I'm sorry, but without information about the risks, it is not possible to provide information about which controls can be applied.

    • ISO 27001 implementation

      Primeiro é importante entender que a ISO 27001 não é mandatória para adequação a LGPD, ela pode ser utilizada como um suporte para a implmentação da LGPD.

      Considerando, isso, primeiro você deve identificar quais os requisitos da LGPD precisam ser atendidos (por exemplo, proteção das informações pessoais), e a partir daí identificar quais controles da ISO 27001 podem ser utilizados para atender a este requisitos (pode exemplo, controla A.8.2.1 - Classificação da informação).

      Uma boa ferramenta de apoio é a ISO 27701, que basicamente é a ISO 27001 especificada para proteção da privacidade. Em um de seus anexos esta norma possui um mapeamento de requisitos da LGPD a controles da ISO 27001.

      Estes artigos podem oferecer mais informações (o primeiro, apesar de ser direcionado a legislação européia GDPR, possui conceitos que também podem ser aplicados à LGPD):

    • Certifying one section of the organization

      Theoretically it is possible to certify one section of an organization, that is why scope design is important. However, don’t forget to clarify who are the customers of that section. Remember ISO 9001:2015 is to enhance customer satisfaction.

      The following material will provide you more information:

    • Strategic planning

      If you are asking my opinion my personal answer is yes. Two companies in the same economic sector, located in the same country, under the same laws and regulations, may have different processes and priorities due to different strategic orientations. Please check my answer to another question here - https://community.advisera.com/topic/key-performance-indicators-in-relation-to-iso/ where I use a metaphor to show the importance of different strategic orientations.

      However, this is not the approach followed by ISO 9001:2015 at least explicitly.

      The following material will provide you more information:

    • Setting objectives and targets

      Good objectives are SMART (specific, measurable, achievable, realistic and time-based). Measurable means having an indicator. Target means having success criteria.

      It is possible to consider 3 types of indicators:

      • Effectiveness indicators;
      • Efficiency indicators;
      • Quantity indicators. 

      For me, the most important are the effectiveness indicators, they measure if the purpose of the process is being met.

      For example, for a company that has a strategic direction around innovation and has a process called “Develop new products” one can ask:

      • What is the purpose of such process?
      • Quickly develop new products that are market hits.

      Effectiveness indicators will measure “Quickly” and “hits”. For example:

      • Average time to market
      • Revenue from new products
      • Average price of new products 

      Efficiency indicators are the classic QCD indicators:

      • Quality
      • Cost
      • Deliver

      For example, for a company that installs wireless networks for telecom companies, with a process called “Install network”, efficiency indicators can be:

      • Number of daily nonconformities raised by the customer
      • Actual network installation costs versus budgeted costs
      • On-time delivery rate 

      Quantity indicators give information about the need to manage resources accordingly. For example, number of incoming calls at a call center is a way of evaluating the need to contract more people to handle more calls without raising waiting time.

      In this free webinar on demand I develop the challenge of working with relevant indicators - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/

      The following material will provide you more information:

    • Root cause analysis

      You asked firstly

      what is your advice to avoid this problem

      As you mentioned a delay in receiving a report of approx 3 months, I shall reply, assuming you are referring to the report you receive from a proficiency testing (PT) scheme.

      The purpose of a management system is to ensure that all the supporting activities are effective and any risks are under control (quality assurance). Ensuring the validity of your results, meaning that the results are valid and can be released to customers; involves a dual approach of internal and external quality control.  Now the first issue at hand is to ask  - is it appropriate to only be evaluating your external performance every three months ? Look at the risk of releasing invalid results in the time between PT reports. If your objectives are impacted by only receiving PT reports every three months, you need to address the risk. It will depend on the method – for example if you have performed validation using certified reference materials, or even run a CRM with every batch (i.e. internal quality check) you are assured of the accuracy and have established you do not have a significant bias.  You would release the routine results, based on the internal quality control checks passing for the same batch as the routine samples as well as having no trends in your PT scheme performance over the prior period (i.e. no changed risk). If there was a poor performance previously, your assurance would be that the laboratory had already implemented effective, verified corrective action.

      You also asked  


      How to make the root cause investigation easy?

      To address your question, it is important to ask the purpose of root cause analysis. In the context of corrective action, it is a process used by a laboratory during evaluation of a nonconforming event, to determine the basic underlying reason for the deviation from a desired outcome. Before starting, look at  the risk that the labortory's stated desired outcome stated or specified criteria was not appropriate.

      So what do you need to consider, with when doing performance evaluation ? Remember that PT is a way to confirm that over a period of time (because it has a statistical basis) your laboratory does not have a significant bias or trend. Make sure that the pre-defined performance criteria you set for each method is appropriate. To avoid unnecessary investigation these must be realistic. For example it will not be appropriate to state that for all events where a PT report indicates a single unsatisfactory result, the laboratory would do corrective action. You need to evaluate the significance of the reported PT performance.  State the reported deviation from the pre-defined performance criteria and evaluate, according to ISO 17025 clause 7.10 whether corrective action is required. For example the assigned value may have been below the Limit of quantification for your method or not a suitable matrix. meaning ther is no reason for corrective action.

      The following ISO 17025 document template: may assist further:

      Quality Assurance Procedure at https://advisera.com/17025academy/documentation/quality-assurance-procedure/

      Complaint, Nonconformity and Corrective Action Procedure at https://advisera.com/17025academy/documentation/complaint-nonconformity-and-corrective-action-procedure/

      For more information on root cause, have a look at the article How to use root cause analysis to support corrective actions in your QMS at https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/

    • Meaning of "Log" in Contingency Plan

      As you know, the effectiveness of contingency action plans should be checked by testing or simulation methods according to risk level to customers. When testing and/or simulation is done or when a real event occurs, details should be recorded in the "log" line with the date, time, etc. You can use the ‘’log’’ line for this reason.

    • A.8.3 Media handling

      Please note that in ISO 27001, the word "media" refers to both electronic and paper, so all these controls can be applied to paper media.

      This article will provide you a further explanation about paper media:

      This material will also help you regarding ISO 27001 controls:

    • Designing management system by business processes vs clauses

      Because the process approach describes your organization and how it works every day in a way that people understand. Normally, in an organization, people do not know ISO 9001 clauses. It is easier to visualize the flow of work than memorize the clauses:

      • Identify materials and components need;
      • Select suppliers and place an order (clause 8.4)
      • Control quality on reception (clauses 8.4 and 8.6)
      • Use measurement resources you can trust (clause 7.1.5)
      • Treat nonconformities on reception (clause 8.7)
      • Identify materials and lot number (clause 8.5.2)
      • Store materials and components at the warehouse (clause 7.1.4)
      • Use competent people in this process with clear responsibilities and authorities (clauses 5.3, 7.1.6 and 7.2)

      I became a fan of the process approach before the ISO 9001:2000 version because I used to work based on the clauses of the standard. When working with a service company, an interim work company, I had to always explain the standard to people. One day I decided to do a major flow of how they worked and it was a miracle, they understood it and I've never had to explain the standard content again.

      The following material will provide you more information:

       
Page 350-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +