Search results

Becoming an ISO 9001 expert

You must know the standard as a whole and the interpretation and purpose of its clauses. You must have experience of working with ISO 9001 in several contexts, for example, as quality manager, as a consultant, as trainer, as auditor. You must like what you do because knowing about ISO 9001 is like a journey, you must be always in the “search mode” there is always a better interpretation, a better example, each organization is different and you should have an open mind to avoid imposing rigid or “imported” models. So, you must be aware of what others are writing and publishing. You must also develop your own brand by evidencing your knowledge. You evidence your knowledge when you write. You should write. Share what you know, share your experience and results, share testimonies of your customers about the outcomes of working with you. Use blogs, professional networks, trade magazines, use your LinkedIn profile, make presentations at conferences. And don’t forget to develop a network of contacts.

If you need an initial aid to start working in the implementation of a quality management system perhaps this course could be useful, you can enroll for free - ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/

If you want to become a lead auditor of quality management systems perhaps this course could be useful, you can enroll for free - ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-lead-auditor-course/

If you need some ideas about starting a consulting work, perhaps this webinar can give you some ideas - Free webinar on demand – How to sell ISO consulting services - https://advisera.com/9001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/

Benefit of ISO procedures

ISO 9001:2015 does not impose extra work on organizations. ISO 9001:2015 sets requirements and it is up to each organization to decide how to apply those requirements. For example, ISO 9001:2015 requires that organizations perform quality control of its products and services - as long as legislation or regulation not prescribe what to control, how to control and when to control, it is up to each organization to decide the scope and depth of that quality control.

Benefits to company employees with the implementation of a quality management system according to ISO 9001:2015 can be about:

• More planning, more rational rules with meaning and less arbitrary decisions - More decisions based on facts and less on opinions
• More competence, better preparation of people entering the organization in terms of training
• Greater involvement of employees in the definition of actions to improve the processes in which they intervene

You can find more information about ISO 9001 below:

• What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
• Quality Management System: What is it? - https://advisera.com/9001academy/knowledgebase/quality-management-system-what-is-it/
• Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

ISMS scope - Not interested in ISO27001 accreditation

You can still define the whole organization in the ISMS scope, but in cases where you have physically separate sites, the most common approach, for those which goes for certification, is to separate the scope by sites (ISO 27001 accepts scope definition in terms of location, processes, business units, or information). This way, in case a site is not compliant, it does not affect the certification in the other sites.

Since you are not going for certification at this moment, you should evaluate the costs and effort involved in both approaches (i.e., centralized and decentralized scope).

SoA’s justification for the selection of control

1. If there is no risks from the risk treatment (thus nor risk treatment number for the control), should one use risks from the risk assessment (select risk numbers which have already treated by a control) for the justification for selection?

our assumption is correct. If you identified during the risk assessment that relevant risks are already in acceptable levels because the related control is already implemented, then you can use these risks as justification for the applicability of the control in the SoA.

For further information, see:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2. I have a hard time to figure out which are differences between secure areas (A.11.1.5) and securing offices, rooms and facilities?

Control A.11.1.5 refers to how to work on secure areas (e.g., do not use cameras inside, forbid unsupervised work, etc.), while control A.11.1.3 refers to physical controls implemented to improve the security of the environment (e.g., located away from public traffic, soundproof, etc.).

These articles will provide you a further explanation about physical security:

• Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/

These materials will also help you regarding ISO 27001 controls:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

BCP- IT Disaster recovery

For this mapping, I suggest you take a look at these templates (although they are related to ITIL, they can be applicable to ISO 27001 IT Disaster Recovery):

• Service Catalogue https://advisera.com/20000academy/documentation/service-catalogue/
• Configuration Management https://advisera.com/20000academy/documentation/cmdb/

The first can help you as a custodian of the information about all operational services.
The second can help you record all configuration item-related data.

These articles will provide you a further explanation about service catalog and configuration management:

• What is the relationship between Service Level Management and the Service Catalogue in ISO 20000? https://advisera.com/20000academy/blog/2016/04/12/what-is-the-relationship-between-service-level-management-and-the-service-catalogue-in-iso-20000/
• Knowing your herd – Service Asset and Configuration Management (SACM) https://advisera.com/20000academy/blog/2013/06/04/knowing-herd-service-asset-configuration-management-sacm/

Risk of identifying too few risks

ISO 27001 does not require a "minimum" number of risks, only that relevant risks are identified and treated.

Considering that, the auditor will be more concerned about the quality of the identified risks (i.e., how relevant they are for the organizations) than their quantity. The single point you need to pay attention to is to not overlook obvious risks, i.e., risks that someone with proper competence to the process or asset would easily identify. To mitigate this risk you need to include in the risk assessment the personnel involved with the process or asset.

As for the number of risks (please note that the word "scenarios" is more adequate when talking about business continuity), you mentioned, 200 is a good number. To have a parameter, when using the asset-threat-vulnerability approach, a small organization generally identifies between 50 to 100 assets, with 3 vulnerabilities and 2 threats for each asset, so they identify between 300 to 600 risks.

An important thing to note is that risk for which you already have implemented controls (and you will only accept the risk) also count for your relevant risks.

These articles will provide you a further explanation about risk assessment and treatment:

• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
• 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
• Risk assessment tips for smaller companies https://advisera.com/27001academy/blog/2010/02/22/risk-assessment-tips-for-smaller-companies/

Are entities in certain countries still required to form binding corporate rules?

it's regarding Module 8: Data transfers and managing third parties in the DPO courseThe lecturer explains that there are certain countries that need binding corporate rules between companies transferring to each other who are operating under the same parent company. He explains that there are countries identified as having an adequate level of data protection (i.e the EU member states), and then explains that certain countries were not yet recognized have adequate protection such as the United States was not recognized as having the adequate level of data protection. Is this list of countries still up to date?

You can find the current list on the website of the European Commission here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_enJapan and the United States (limited to the Privacy Shield framework) were added.

Are entities in these countries still required to form binding corporate rules?

The course explained that binding corporate rules are suitable for large-size companies belonging to the same group, while other companies better use data transfer agreements.

However, entities located in the United States can now transfer data based on an adequacy decision instead of Binding corporate rules. In fact, Article 46 GDPR states that transfer on the basis of binding corporate rules happens in the absence of a decision under Article 45 GDPR.

You can find more information here:

• Article 45 GDPR: https://advisera.com/gdpr/transfers-on-the-basis-of-an-adequacy-decision/
• Article 46 GDPR: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
• Article 47 GDPR: https://advisera.com/gdpr/binding-corporate-rules/
• 3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

You may also consider enrolling in this online EU GDPR Foundations Course: EU GDPR Foundations Course

Identifying and measuring Key Performance Indicators

You can start by identifying your relevant interested parties. For example:

Then, considering the purpose of your organization, put yourself in the shoes of your relevant interested parties and list what they expect from your organization. One can think about: safe food and correctly labeled and packaged food. What happens if food is not safe or not correctly labeled and packaged?

As key performance indicators, your organization can have effectiveness indicators:

• # unsafe food events
• # of complaints about incorrectly labeled and packaged food

As key performance indicators, your organization can also have indicators about government and general public perception/opinion about the results of the public health unit work.

Then, your organization can have indicators about the amount of work done real versus planned. For example:

• # of inspections done / # of inspections planned
• Rate of approved restaurants
• Rate of approved foods
• Real cost of operation / planned cost of operation

As a rule of thumb consider indicators concerning:

• Effectiveness;
• Efficiency;
• Quantity of inspections

You can find more information about indicators below

• How to define Key Performance Indicators for a QMS based on ISO 9001 - https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
• ISO 9001 document template: Matrix of Key Performance Indicators - https://advisera.com/9001academy/documentation/matrix-key-performance-indicators/
• Practical tips for measuring your QMS according to ISO 9001:2015 clause 9.1 - https://advisera.com/9001academy/blog/2017/08/29/practical-tips-for-measuring-your-qms-according-to-iso-90012015-clause-9-1/
• Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

Scope, Criteria and Objectives

The QMS scope sets the borders where the QMS is implemented according to the criteria. An example of a QMS could be:

• All activities and shifts at XYZ Company’s Townsville factory of plastic products

Other examples could be:

• Inspection of ships, Classification and Certification, Construction and Project Supervision of Ships
• Development, production and analysis of fine chemicals and active pharmaceutical ingredients

The QMS Criteria sets the rules to be followed. Normally they are divided in three groups:

• Normative reference (s): ISO 9001: 2015
• Processes and documentation defined in the organization's system
• Regulatory, statutory, legal and contractual requirements applicable to activities

QMS Objectives can be (for example):

• Improve customer satisfaction by X% until date Y
• Reduce rate of complaints by Z% until date T
• Reduce defects by A% until date B
• Reduce cycle time by C% until date D 

You can find more information about these topics in the following links:

• How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
• Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
• List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
• ISO 9001 – Aligning quality objectives of the QMS with the strategic direction of the company - https://advisera.com/9001academy/blog/2017/03/07/aligning-quality-objectives-of-the-qms-with-the-strategic-direction-of-the-company/
• How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Requirement of ISO 13485 for manufacturing of semi-finished product

Yes, you need to prove that your prosthetic liner is biocompatible with the human body. To prove it, you need to perform certain tests according to the ISO 10993-1:2018 Biological evaluation of medical devices — Part 1: Evaluation and testing within a risk management process. Guidance on which tests you need to perform you can find in Annex A of this standard. The number and scope of tests will depend on the length of contact of the medical device with the skin, the type of contact, and the like. 

Considering the test for durability, you need to prove how long your product is stable when using in compliance with instructions of use. This includes, for example: how long the prosthesis is worn during the day, whether it is properly maintained, whether it is left somewhere in the strong sun or not.

As for testing, I don’t know what part of the world you’re in. If you are in Europe, there is a whole chain of Eurofins labs that do different tests, so you can ask them.