Search results

A.11 Domain Requirements List

Please note that ISO 27001 standard is an intellectual property of the International Organization for Standardization, and listing the specific requirements here would be a violation of those rights. You can buy the standard at this link: https://www.iso.org/standard/54534.html

Broadly speaking, controls from section A.11 aims to protect information by protecting facilities (A.11.1 - Secure areas, with 6 controls), and equipment (A.11.2 - Equipment, with 9 controls). The selection of controls, and how to implement them, will depend on the results of risk assessment and applicable legal requirements. For support in the implementation, you can consider ISO 27002, a supporting standard which provides guidance and orientation in the implementation of controls from ISO 27001 Annex A

These articles will provide you a further explanation about controls from section A.11 and selection of controls:

• Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
• How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/
• How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Controls for Stage 2 audit

If you go for the certification audit, you should have most of the controls stated in the SoA as applicable implemented, and make sure that controls that mitigate the biggest risks are fully implemented.

In other words, you can leave only a smaller number of less significant controls to be implemented after the certification. In such a case, you have to ask risk owners to accept the residual risks.

This article will provide you a further explanation about certification:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

This material will also help you regarding certification:

• ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

ISO 17025 accreditation cost

I assume from your question, that your company has a testing laboratory which plans to implement a management system according to ISO17025:2017. The pathway to accreditation basically consists of 2 stages. Stage 1 is Implementation and maintenance. Stage 2 is application, assessment and awarding of accreditation by your national accreditation body. The costs depend on the current resources you have and the fees of your accreditation body. A big component can be the cost related to method development and procuring calibration services to assure metrological traceability. 

Stage 1 starts with purchasing the standard, having personnel available to establish the processes and documented information (procedures and records), personnel to evaluate performance of activities (such as test method performance, handling complaints), perform internal audits and management to review the entire system. Here you can determine your costs through a project pan. Have a look at what Advisera can offer, and if using templates will be beneficial for your company. 
For more  support, Download a free Project plan (MS Word) for ISO/IEC 17025 implementation at https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation; 

Download the free Diagram of ISO 17025 Implementation Process at https://info.advisera.com/17025academy/free-download/diagram-of-iso-17025-implementation-process; and 
Preview the ISO/IEC 17025:2017 Documentation Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

Stage 2  involves applying for accreditation. I recommend you contact your national accreditation body, the Philippine Accreditation Bureau, who is listed, along with their contact and website detail, in the ILAC MRA Signatory search page at https://ilac.org/signatory-search/. You can request a quote from them. 

For more information on Accreditation, view the Advisera 17025 Academy Free webinar – What are the steps in the ISO 17025 accreditation process? This is available at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar-on-demand/

Major vs Minor nonconformity

In effect, if a minor nonconformity, raised during the previous audit, has not been resolved within the deadline – such a small nonconformity automatically becomes a major one.

You can find more information in the following links:

• Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
• Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ (includes a slide about developing checklist questions)
• ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

ISO 45001 changes and challenges

The main changes in Iso 45001 are the removal of the management representative and preventive action, and the addition of the requirements for context of the organization, top level risks and opportunities and format of the documented information requirements.

The main challenges in the change to ISO 45001 for your OHSMS is in the identification of context of the organization, which includes interested parties, as well as how you may want to record this context. Along with the challenge of re-thinking risk for the OHSMS beyond just the risks posed by hazards.

We had a webinar on the changes form OHSAS 18001 to ISO 45001, you can see a previous recording here: ISO 45001 vs OHSAS 18001 the main changes, https://advisera.com/45001academy/webinar/iso-45001-2017-vs-ohsas-18001-2007-the-main-changes-on-demand/ or you have questions on the changes you can sign up for the next webinar presentation on this topic which is occurring on July 15th, 2020, here: https://advisera.com/45001academy/webinar/iso-45001-2017-vs-ohsas-18001-2007-the-main-changes/

Validation requirements for 13485

According to the ISO 13485:2016, requirement 7.5.6 Validation of processes for production and service provision, processes that need to be validated are processes where the resulting output can not be verified by subsequent monitoring and measurement. As far as I understand your process, if you measure your device after the molding (eg. weight, height, shape, volume or similar) and during assembly, you can clearly see that medical device is properly assembled, that there is no need to validate that part of the process. However, you need to validate the start of the molding process, when temperature and pressure have to be adjusted so that the medical device of proper characteristics can be achieved. If your machine for molding has some software and if you get a new version of the software for that machine, that for the new version you need to be sure that it did not change the final product. 

For more information on validation, you can see the following articles:

• Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/
• Production and service provision process in ISO 13485 - https://advisera.com/13485academy/blog/2017/12/13/production-and-service-provision-process-in-iso-13485/

On the following links you can see how certain templates look like in our ISO 13485:2016 Documentation toolkit:

• Record of Software Validation - https://advisera.com/13485academy/documentation/record-of-software-validation-iso-13485-2016/
• Validation Report - https://advisera.com/13485academy/documentation/validation-report-iso-13485-2016/

• Sterile Instruments Packaging

  There isn't anything in the ISO 13485:2016 about Sterile packaging changing color. It is rather specific because each manufacturer of sterile packaging has its own method of detection. However, in ISO 13485:2016 in requirement 7.5.7 Particular requirements for validation of a process for sterilization and sterile barrier system is stated that process for sterilization and sterile barrier system must be validated and that records of that validation must be maintained. It means that you need to define which is the criterion for sterilization to be declared successful. Therefore, you need to contact the manufacturer of sterile packaging to see how sterile barrier has to behave when the sterilization process is properly conducted.

  For more information on this topic, please see the following links:

  • How to manage the medical device sterilization process according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/06/28/how-to-manage-the-medical-device-sterilization-process-according-to-iso-13485/
  • Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/

  • Annex 12-4

    Great explaination. Thank you

  • Environmental sustainability in the transport sector

    One of the cornerstones of an Environmental Management system is to determine its environmental aspects. Then, it is important to identify the activities with a better environmental return, those relevant for the environment but also with a payback that can motivate top management to invest in environmental sustainability.

    You can find more information in the following links:

    • How the transportation business can benefit from identifying environmental aspects according to ISO 14001 - https://advisera.com/14001academy/blog/2016/05/09/how-the-transportation-business-can-benefit-from-identifying-environmental-aspects-according-to-iso-14001/
    • Importance of ISO 14001 for shipping companies - https://advisera.com/14001academy/blog/2019/05/07/iso-14001-for-shipping-companies-why-is-it-important/
    • Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
    • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
       

  • Clause 4 vs Clause 9

    1. How can we be sure we have identified all the internal and external issues?

    Answer:

    ISO 9001:2015 does not use the word “identify” but the word “determine” and that makes a difference. “Determine” means that it is the organization that decides what is an issue. The purpose is not to make the longest list of issues but the most relevant list of issues. The purpose is not to keep a list of issues but to look for risks and opportunities.

    For example, this week, working with a client they considered:

    • negative internal issue - Low negotiation capacity
    • negative external issues - (Economic crisis x Increased competition in the sector x Falling public / private investment)

    I ask them to see if they could match any risk from mixing those issues. They said what was clear:

    – More competition, tighter margins

    - Is that relevant for any interest party?

    - Yes, it is for the shareholders - they answered.

    - What can the company do about it?

    And they pick a positive internal issue – Experience of working abroad

    Decision – invest much more in commercial contacts in order to win projects abroad

    Arriving at sound decisions to grab opportunities or minimize risks is what is important.

    2.How can we be sure we are monitoring and measuring them effectively?

    Answer:

    This is not about monitoring and measuring (clause 9.1) this is still about clause 4 and perhaps clause 9.3. “monitor and review information” this is more about keeping a radar checking for relevant issues and being able to make decisions about them. Organizations are effective when they avoid or minimize risks and when they are able to grab opportunities. That can be done during management review, for example. An evaluation on the ability to:

    • determine relevant issues
    • evaluate them
    • decide upon them (minimize or avoid risks, take advantage of opportunities)

    You can find more information in the following links:

    • About the radar concept, please check its use here - https://community.advisera.com/topic/examples-in-organizational-knowledge/
    • How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
    • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    • Book – Discover ISO 9001:2015 Through Practical Examples –https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/