Search results

Certified ISO auditor in the US

Great answer. Thank you very much. 

Key Performance Indicators in relation to ISO

Unfortunately, I’m not aware of any standard to be used as a reference for the definition of KPI’s.

KPIs should be a function of the strategic orientation of an organization. Simplifying a complex world, an organization can serve clients that value above all:

• The lowest price; or
• Innovation or design; or
• Customized service.

If an organization manufactures a product or provides a service focused:

• on customization, the point is not efficiency but effectiveness;
• on the lowest cost, the point is efficiency. 

Some years ago, I developed this crazy metaphor of seeing an organization with all its processes as an athlete. If you compare the body of someone competing on athletics with the body of someone that competes on weightlifting, they are very, very different. The body of a soccer player is very different from the body of a basketball player. Different strategic orientations require different process content. Two different organizations with two different strategic orientations may have a process with a similar name but with different activities or different priorities.

The following material will provide you more information:

• Article - How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
• Article - How t write good quality objectives: https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 -
  https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Internal Audit Procedure

One can describe the internal audit process like this:

Please check this free webinar on demand that details each step in the internal audit process - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/

You can find more information in the following links:

• ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
• ISO 9001 document template: Procedure for Internal Audit - https://advisera.com/9001academy/documentation/procedure-internal-audit/
• Free online training ISO 9001:2015 Internal Auditor Course
  – https://advisera.com/training/iso-9001-internal-auditor-course/ 
• Book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

Failing to take corrective action

If a minor nonconformity, raised during the previous audit, has not been resolved within the deadline – such a small nonconformity automatically becomes a major one.

You can find more information in the following links:

• Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
• Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ (includes a slide about developing checklist questions)
• ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

Addressing Procedure pack in the ISO 13485 Manual

If you are the one who makes procedure packs, then you will describe in your ISO 13485 Quality manual what your medical devices are, of which components they consist. In your procedure for production you will describe how you make your procedure packs, are they assembled in the cleanroom, do they need sterilization, how you monitor the traceability of each component (Lot or a serial number of each component), how do you label them, and other relevant things. You need also to prepare a medical device file for them.

For more details, I would need to know what kind of procedure packs you have. 

The following article may be useful:

• How to meet ISO 13485:2016 requirements for medical device files - https://advisera.com/13485academy/blog/2017/06/28/how-to-meet-iso-13485-requirements-for-medical-device-files/

What are obligations of the manufacturers for procedure packs in MDR 2017/745, you can find on the following link:

• EU MDR Article 22 – Systems and procedure packs https://advisera.com/13485academy/mdr/systems-and-procedure-packs/

• ISO 27001 implementation

  Main challenges related to ISO 27001 implementation are:

  • Lack of management support: without this support, you won't have the minimal resources and engagement to implement the required controls.
  • Not using a project management approach: such implementation involves coordinating several people to perform dozens of activities, and without a methodology, you will finish inside a huge mess with no security at all.
  • Lack of time for the implementation project: The project can be very important, but normally, there are a lot of urgent things happening that postpone the project.
  • ISMS scope wrongly defined: not protecting information that really matters.
  • Documentation: Procedures excess or lack of details may compromise operations.

  This article will provide you additional information:

  • The 3 key challenges of ISO 27001 implementation for SMEs https://advisera.com/27001academy/blog/2017/04/17/the-3-key-challenges-of-iso-27001-implementation-for-smes/

  These materials will also help you regarding ISO 27001 implementation:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Risk Statements

  Please note that vulnerabilities are weaknesses related to an asset and they do not cause threats, they are exploited by them. Considering that, your proposed structure should be:

  Threat (that has an effect on vulnerabilities) exploits a vulnerability, resulting in a business consequence.

  Considering an asset-threat-vulnerability approach, your statement would be:

  "Information system's" (asset) "breach of maintainability" (threat) due to "insufficient maintenance installation of storage media" (vulnerability). This may lead to XWY (consequence).

  This article will provide you a further explanation about risk statement:

  • ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

  These materials will also help you regarding risk statement:

  • Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• Quality assurance in medical education

  Unfortunately, that is a very specific topic and we do not have any samples applicable to a quality assurance agency for medical education.

  Perhaps this article could be useful, although it presents a general approach - Some tips to make Control of Records more useful for your QMS - https://advisera.com/9001academy/blog/2014/01/28/tips-make-control-records-useful-qms/

  You can find more information in the following links:

  • Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
  • Procedure for Document and Record Control - https://advisera.com/9001academy/documentation/procedure-document-record-control/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
     

• Training and Development Program

  Crafting a Training and Development Program can be based on the process approach, organizational knowledge and competence.

  With the process approach you relate people, functions and activities. With organizational knowledge you relate functions with competence requirements. With competence you design Training and Development Program to close any competence gaps.

  You can find more information in the following links:

  • Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
  • How to manage knowledge of the organization according to ISO 9001 - https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
  • Using Competence, Training and Awareness to Replace Documentation in your QMS - https://advisera.com/9001academy/blog/2013/12/17/using-competence-training-awareness-replace-documentation-qms/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• Continual review

  While ISO 45001 does not talk about continual review, apart from the requirements for management review, the awareness requirements in clause 7.3 and communication requirements in clause 7.4 do provide a framework on what should be known by employees as well as the need for internal communication. Of course, the requirements for participation and consultation (clause 5.4) will also help with this on an ongoing basis.

  As for a best practice for this activity, there are many things that can be used. Having OH&S information boards to share necessary information, having worker representatives for different worker groups who advise on OH&S in the workplace, and even routine workplace meetings that focus on health & safety.

  You can learn more about the participation and consultation requirements in the article: How to meet participation and consultation requirements in ISO 45001, https://advisera.com/45001academy/blog/2016/03/16/how-to-meet-participation-and-consultation-requirements-in-iso-45001/