Search results

Integrated joint audit

When auditing an integrated management system, one must consider the High-Level Structure of the management system standards. Auditing clauses 4, 5, 7, 9 and 10 is straightforward

When auditing an integrated management system, one must consider two realities of an organization:

• Its processes; and
• Its facilities.

With clause 6 of each standard an organization determines risks around processes, products and business, compliance requirements, environmental aspects, risk of employee injury, and defines action plans and objectives.

When auditing, you follow an itinerary along its facilities where you audit processes (clause 8), and for each location the relevant environmental aspects and risks of employee injury and related procedures.

You follow more information below:

• How to implement integrated management systems - https://advisera.com/articles/how-to-implement-integrated-management-systems/
• ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

MDR Medical device documentation for distributors

• CE certificate
• Declaration of conformity
• Instruction of use and labels are on the proper language

The distributor of medical devices needs to have implemented a quality management system (QMS) (in MDR there is no requirement for certification of the quality management system, only that QMS must be implemented). In ISO 13485:2016 in 1. section – Scope – is stated that this International Standard specifies requirements for a quality management system where an organization needs to demonstrate its ability to prove that medical devices and related services meet customer and applicable regulatory requirements. Such an organization can be involved in one or more stages of the medical device life-cycle including design and development, production, storage and distribution, installation, or service.

Further on, in MDR (Article 1, section 2) is stated that all medical device needs to be in compliance with harmonized standards or state-of. the art standards. On the list of harmonized standards, only one standard that is considering the quality management system is ISO 13485:2016. Therefore, it is expected that distributors and importers will also have implemented a quality management system according to the applicable requirements from ISO 13485:2016.

Here is the link to harmonized standards: https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/medical-devices_en

For more information, please read the following:

• EU MDR Article 1, section 2: https://advisera.com/13485academy/mdr/subject-matter-and-scope/
• Similarities and differences between ISO 9001:2015 and ISO 13485:2016: https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/

ISO/IEC ISMS 27001 Annex A

Please note that ISO 27001 does not require an organizational chart to present how the organization supports information security. The most common way to document responsibilities related to information security is by writing them in the implemented policies and procedures.

To see how documented responsibilities look like, I suggest you take a look at the free demo of our ISO 27001 documentation toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

These articles will provide you a further explanation about documenting responsibilities:

• Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
  How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

This material will also help you regarding documentation:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Query on Annex A Controls - IS027001

Software maintenance is basically covered by controls from section A.14 System acquisition, development, and maintenance (there is no single control specific for this purpose).

Control A.14.1.1ensures that maintenance is done in order to reach some requirements set to protect information.

The other controls you mentioned are more related to the security of information systems implementation and daily operations.

These articles will provide you a further explanation about the software development life cycle:

• How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
• How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/

Performing Security Risk Analysis

I'm assuming that by VAPT you mean "Vulnerability Assessment & Penetration Test".

Considering that, first is important to note that the purpose of risk analysis is to evaluate the risk, quantitatively or qualitatively, and that security audit is used to find out if security is being performed as planned, or results achieved are those expected, and that VAPT is used to find out if there are vulnerabilities in your environment that could be exploited.

All of this considered, security audit and VAPT cannot be used for risk analysis, but they can be used for risk identification because their results can point situations where information can be compromised (i.e., risks).

These articles will provide you a further explanation about the risk assessment process:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk assessment:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Processes and assurance in ISO 20000 and ITIL

You can use ISO 20000 as a management system (or a framework) towards excellence in service delivery. However, use ITIL as well, to manage daily activities and as an improvement model. 
ITIL4 guidelines can help you evolve your organization in a way to converge technology and business.
Here is an introduction article in ITIL4 "ITIL 3 vs. ITIL 4 – What has changed and what is new?“ https://advisera.com/20000academy/blog/2019/07/04/itil-3-vs-itil-4-what-has-changed-and-what-is-new/

SLA in ISO

According to ISO 20000, SLA is "documented agreement between the organization and the customer that identifies services and their agreed performance."

Here are a few articles where you can find more details:

"What’s the content of an ITIL/ISO 20000 SLA?" https://advisera.com/20000academy/blog/2016/06/14/whats-the-content-of-an-itiliso-20000-sla/

"SLAs, OLAs and UCs in ITIL and ISO 20000" https://advisera.com/20000academy/knowledgebase/slas-olas-ucs-itil-iso-20000/

Internal audit report review

I will not comment your auditor’s comment about doing the follow-up.

Please consider this flowchart:

When you receive the audit report a first step is to separate minor from major nonconformities.

About the minor nonconformities

The auditor found one nonconformity. As a good practice your organization should check if there are other situations not audited with the same nonconformity. A minor nonconformity requires a correction. An action to eliminate the nonconformity. Define the correction, implement that correction and shortly after check that the nonconformity was removed. For example, the auditor found an outdated form at the warehouse. Your organization check all forms in use and finds another outdated form at the sales department. Remove outdated forms and distribute the updated ones. One-week later check that the right forms are being used at the warehouse and the sales department. All these steps should be recorded in a form for treating audit minor nonconformities.

About the major nonconformities

The auditor found one nonconformity. As a good practice your organization should check if there are other situations not audited with the same nonconformity. A major nonconformity requires both a correction to eliminate the nonconformity and a corrective action to eliminate the cause of the nonconformity. Define the correction, implement that correction and shortly after check that the nonconformity was removed. At the same time, investigate what are the possible causes of the major nonconformity and determine the root cause(s) of that major nonconformity. Then determine a corrective action to eliminate that/those root cause(s). Implement that corrective action and shortly after check that the corrective action was implemented. After some agreed time, check that the implemented corrective action was effective. For example, an organization took to much time to answer to complaints. Their internal procedure mentioned less than 24 hours for a first answer while they had on average more that 60 hours. 3 months after implementing the corrective action they concluded that the average time for the first answer was 12 hours. The corrective action was effective.

Please ensure that implementation and effectiveness is verified by someone not working on the department or area where the nonconformity took place.

You can find more information below:

• Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
• Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ 
• ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

Archived document control policy

What do you mean by archived documents?

If you mean records – the answer is yes. Records are the memory of an organization. If an organization lose or cannot access the records in time, it has no memory. An organization without memory is an organization that learns slowly. An organization must define rules to archive records in order to be clear and easy how to retrieve them and how to protect them.

Please check in this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ the list of mandatory records required by ISO 9001:2015

You can find more information about records below:

• How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/