Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 13485 compatibility with EN 14126

    ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes is a standard for a quality management system, while EN 14126:2003 Protective clothing against infective agents is a standard that is used to demonstrate the performance of protective garments against infective agents. Since protective garments against infection are a medical device, the manufacturer is supposed to have implemented a quality management system according to ISO 13485:2016. Therefore, the manufacturer of protective garments against infection must be in compliance with both standards.

    Further articles can provide more information about ISO 13485:2016:

    • What is ISO 13485? - https://advisera.com/13485academy/what-is-iso-13485/
    • Clause-by-clause explanation of ISO 13485:2016 - https://info.advisera.com/13485academy/free-download/clause-by-clause-explanation-of-iso-13485

    • Recommendation for ISO 45001 implementation

      My recommendation for the most practical way to implement ISO 45001 is to follow the diagram linked below, starting with the assurance of top management support as this is necessary for the project to work. Additionally, if you are not using a toolkit that includes a format to follow (for instance, the Advisera toolkits should be implemented in order), then the best idea is to go through the standard in the order it is written. First identify the context of the organization and record the policy (Clause 4), then make sure that leadership commitments are in place (clause 5), etc. The one exception to this is that the first thing you will want to do is to put in place your process for documented information (clause 7.5, for your procedures and records) since you will want to know the rules for documenting information like your OH&S policy before you start.

      One specific thing to note as you work through your context of the organization, is to include all of the interested parties you mentioned (corporate, local and national government, etc.) and their requirements as pert of clause 4.2 assessment. This will give you a full, clear picture of the needs that you must incorporate into your OHSMS.

      You can see the diagram for implementing ISO 45001 here: Diagram of ISO 45001 Implementation Process, https://info.advisera.com/45001academy/free-download/diagram-of-iso-45001-implementation-process

    • ISO 9001:2015 Risk-based Thinking (A.4)

      First, ISO 9001:2015 has no mandatory requirements concerning risks and opportunities – please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ . So, whatever the method used by your organization to document your risk assessment is valid if it suits your needs. Having said that, beware that a risk is not necessarily a nonconformity. Following ISO 9001:2015, I recommend organization to determine risks and opportunities around three areas:

      • Around the business, when considering clauses 4.1 and 4.2 according to clause 6.1 – please check slide about “Intended results” in our free webinar on demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//
      • Around products and services, when considering clause 5.1.2 b) - please check slide about “Products and services” in the same free webinar on demand
      • Around processes, when considering clause 4.4.1 f) - - please check slide about “Processes” in the same free webinar on demand 

      A common way to document the risk assessment is to use a Risk Register – please check the sample from our Documentation Toolkit - ISO 9001 document template - Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/

      I take the liberty of recommending my book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ - with a strong focus on the risk-based thinking.

    • Is registrar remote audit for surveillance or recertification audits allowed?

      I have a question regarding the registrar remote audits for the surveillance or recertification audits. IATF does not allow remote audits but I believe the ISO community does. is this correct?

      Yes, correct. IATF does not allow any remote audit. 

      Also, my question points out to the risk of companies to lose the certification due to Covid 19 - impossibility to be audited and certified. Is any rule as in IATF for extended the current certificate?

      ‘’IATF Global Waivers and Measures in Response to the Coronavirus’’ the document was published by IATF as revision 03 on 08.06.2020. You can find this document on the website https://www.iatfglobaloversight.org/

      Pandemic Faced with this situation, IATF has defined a document called "Global Measures of the IATF in response to the COVID-19". The objective of this document is to define the guidelines so that all the stakeholders of this Certification Scheme must be know how to act to mitigate the impact on the continuity of the audits and certification processes. IATF has granted a 6-month extension to each certificate issued and currently valid. This will be reflected in the IATF Database and will be visible later on in the validity of the certificate.

    • Scope of ISMS

      Your understanding is correct. By defining physical limitations in your scope it will be easier to identify how to properly protect the information. Please note that the scope statement is not wrong, it only can be improved by specifying locations.

      Please note that the provided template for ISMS scope included in the toolkit cover all important elements for the scope definition. The comments included on it will guide you where to include the information about locations.

       This article will provide you a further explanation about the scope definition:

    • Understanding the organization and its context

      1. Can you provide any guidance or clarity on defining Clause 4.1 of ISO 27001, determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system?

      Examples of external issues are: geographical location, public infrastructure available, political, economic, social and technological trends, etc.
      Examples of interested parties: clients, suppliers, top management, and employees, etc.
      Examples of internal issues are: organizational culture, processes, and procedures, equipment, financial resources, etc.

      This article can help you:

      2. Also, where is this typically documented?

      ISO 27001 does not require documenting the context of the organization, and this is especially not recommended for smaller organizations - you only need to take into the context of the organization when defining the scope and doing the risk assessment.

    • Organizational Chart

      It is acceptable for ISO 27001 to reference to Organizational Chart in the elaborated documents, instead of using employee's names. In fact, this is a good practice, because, as you mentioned, by using roles instead of people's names, you do not need to update the documents every time the staff changes.

      This article will provide you a further explanation about defining scope:

      These materials will also help you regarding defining scope:

    • Implementation of the controls before audit

      If you go for the certification audit, you should have most of your controls implemented, and make sure that controls that mitigate the biggest risks are fully implemented.

      In other words, you can leave only a smaller number of less significant controls to be implemented after the certification. In such a case, you have to ask risk owners to accept the residual risks.

      This article will provide you a further explanation about certification:

      This material will also help you regarding certification:

    • Policy author

      ISO 27001 does not prescribe that documents' author must be part of the organization, so by the standard the fact that the author is an external consultant is not a problem.

      The auditor's concern may be related to the fact that an external consultant generally does not have deep knowledge of an organization to properly develop the documents.

      In this case, you need to ensure that documents are evaluated and approved by personnel with the proper competencies to do that, so they can validate that the documents fulfill the needs of the organization. For example, the Information security policy must be evaluated and approved by the CISO and Top manager of the ISMS scope (e.g., the CEO if the scope is all the organization or the department head if the scope is limited to a single department), and IT-related policies (e.g., backup policy; IT procedures, etc.) need to involve the IT manager.

      Provided that personnel from the organization with proper competencies are involved in the review and approval of documents, it should not be a problem who is writing them.

      This article will provide you a further explanation about creating documents:

      This material will also help you regarding creating documents:

    • ISMS controls refer to Finance

      Many thanks Rhand for your quick response - very helpful 

       
Page 364-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +