Search results

Guidelines for getting a record retention policy

Considering ISO 13485:2016, in requirement 4.2.5 Control of records is stated that organization will keep records for at least the lifetime of the medical device, or as specified by applicable regulatory requirements, but not less than two years. It means that if a lifetime of your medical device is six months or one year, you need to keep records for at least two years. 

For more information, please read the following article:

• Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/

You can also check out our book for more information:

• Managing Iso Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• Filling templates

  Data Transfer Agreement template (Referenced in Cross Border Transfer Procedure):
  DTA for Controller -> Controller
  DTA for Controller -> Processor
  When to use which one?

• OHSAS to OHSMS

  OHSAS is the acronym for Occupational Health and Safety Assessment Series. This is from a series of standards that were issued by the British Standards Institute (BSI) in 1999, which included 2 standards; OHSAS 18001:1999 & OHSAS 18002:1999. On the other hand, OHSMS is the acronym for Occupational Health & Safety Management System. The OHSMS is all of the rules, policies, processes and procedures that an organization puts in place to continually improve OH&S performance, fulfil legal and other OH&S requirements and achieve OH&S objectives for the company. While OHSAS 18001:2007 previously provided the requirements for an OHSMS, now that ISO 45001:2018 has been released as the internationally recognized requirements for an OHSMS, it will replace OHSAS 18001:2007.

  You can find out more in the article: OHSAS vs. OHSMS: What is the difference, https://advisera.com/45001academy/blog/2019/10/16/ohsas-vs-ohsms-what-is-the-difference/

• Service as a Scope?

  Thanks for your answer!

• ISMS documents

  What formats should I use to comply with the clauses and controls of ISO27001. (For example, registration of the scope of the ISMS, SWOT - to know where the company is headed and determine its objectives and align them with the ISMS)

  ISO 27001does not prescribe the format to be used to elaborate documents, so organizations are free to develop them as better fits their needs, provided the clauses and controls statements are fulfilled.

  To see how documents compliant with ISO 27001 looks like, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  These articles will provide you a further explanation about developing documents:

  • List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
  • 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
  • How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
  • Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

  These materials will also help you regarding developing documents:

  • Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Risk treatment options

  Please note that "risk transfer" is the general approach to treat risk, and according to ISO 27001 you need to specify which controls you will apply to implement this option (e.g. controls from section A.15 for suppliers and control A.13.2.2 Agreements on information transfer for third parties in general).

  These articles will provide you a further explanation about risk treatment:

  • 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
  • ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  This material will also help you regarding risk treatment:

  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• ISO 27701

  Up to this moment, ISO 27701 is not mandatory, and as with any new standard, it remains to be seen if it will become popular, i.e. useful.

  This article will provide you a further explanation about ISO 27701:

  • Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/

• Can the certified auditor train others in the company?

  As per IATF 16949: 2016 standard; all system internal auditors must competent in the following.

  • ISO 9001:2015 standard requirements
  • IATF 16949:2016 standard requirements
  • Internal Auditors requirement with automotive process approach and  risk-based thinking
  • Core Tools (APQP, PPAP, FMEA, SPC, MSA requirements)

  If your current internal auditor is trained, competent, and your automotive customers do not have a special requirement in this regard; your internal auditor may provide this training to other employees.

• Remote audits in context of COVID-19

  Please consider this free webinar on demand about - How to perform an internal audit remotely - https://advisera.com/9001academy/webinar/remote-internal-audit-free-webinar-on-demand/

  About ISO 19011:2018 please consider this, ISO 19011:2018 mentions the possibility of using remote audits and virtual audits. There is an important remark: Performing remote audits can depend on the kind of risk to achieving the audit objectives, the level of confidence between auditor and auditee’s personnel and any regulatory requirements. Please check ISO 19011:2018 Annex A.1 Applying audit methods. See also Annex A.15 Visiting the auditee’s location and Annex A.16 Auditing virtual activities and locations.

  Deciding when and how to use remote auditing techniques depends on the audit objectives, scope and criteria, the available technology, the competency of the auditee and auditor to use the technology, and the type of audit evidence that needs to be gathered. The key question is whether the remote auditing techniques allow you to meet your audit objectives, while benefitting the audit process, or whether the use of remote auditing techniques could be a disadvantage to your audit.

  The following material will provide you more information:

  • What are the benefits and barriers when performing remote audits? - https://advisera.com/articles/what-are-benefits-and-barriers-when-performing-remote-audits/
  • Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ (includes a slide about developing checklist questions)
  • ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
  • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

• ISO 9001 - Certification of a nonprofit association

  A nonprofit association having all its services and support outsourced. Do you mean even top management? Do you mean even promotion of fundraising and contacting activities with benefactors? Who represents the nonprofit association? Who decides about outsources and contracts?

  If you have at least one person acting as top management, you can certify that nonprofit association.

  The following material will provide you more information:

  • Implementing ISO 9001 in a nonprofit organization - https://advisera.com/9001academy/blog/2019/09/03/iso-9001-for-nonprofits-benefits-of-implementation/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/