Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • List of Legal, Regulatory, Contractual and Other Requirements

    Your assumption is correct. Even for organizations of the same size and industry there may be different relevant requirements because each organization has its own view of the business and market, so they develop different strategies, and also may have different approaches toward risks

    This article will provide you a further explanation about the identification of requirements:

    These materials will also help you regarding the identification of requirements:

  • Number of controls for audit

    One initial question I have is whether there is a “required” number of controls that need to be audited for a certification?  I was thinking that an auditor would check 15-20 randomly selected controls? 

    For a certification audit, all controls identified as applicable in the Statement of Applicability will be audited, and this number will vary depending on the results of risk assessment and legal requirements you have to comply to. A reduced number of controls will be audited only during surveillance audits, where the auditor will focus on the controls applicable in the scope of the audit.

    For further information, see:

    Any thoughts or recommendations for how best to approach this would be helpful and appreciated!

    The best way to approach this situation is to prepare a proper internal audit checklist for your internal audit (performing at least one internal audit is also mandatory for certification). This way you will have a good understanding of the status of your ISMS before the certification audit

    This article will provide you a further explanation about internal audit:

    These materials will also help you regarding internal audit:

  • ISO 13485 nonconformity

    It is very hard to understand through this way why the auditor concludes this way. To me personally, this does not seem as a non-conformity. In requirement 7.4.2 Purchasing information is stated that, when applicable, there should be written agreement that supplier will notify the organization about changes in the purchased product prior the implementation of any change that affect ability of the purchased product to meet specified requirements. Therefore, if you stated that this is internal change order that did not effect form, fit or function of the assembly if there is no “no change agreement”, to me than it is not a non-confomrity. 

    Although this is for ISO 9001, following material will provide you information about audit nonconformities:
    - Article – How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/

  • ISO 17025 first steps

    It does not make a difference if the laboratory has its own ISO 9001 certification or the entire facility has ISO 9001 certification, which includes the laboratory. The laboratory will, as an organisation, only have ISO 9001 certification.  ISO 17025:2017 international standard accreditation requires more of a laboratory than just meeting the requirements of a quality management system (such as 9001).  It is conformity assessment standard where the technical and overall competence of the laboratory is established, peer-assessed, confirmed and recognised by an accreditation body.

    Have a look at the following expert answer ISO 9001:2015 vs ISO 17025 at  https://community.advisera.com/topic/iso-90012015-vs-iso-17025/ for further information on how ISO 9001 is integrated into ISO 17025 so the management requirements do not need to be re-addressed separately within ISO 17025.

    Also have a look at the article ISO 17025 vs. ISO 9001 – Main differences and similarities for some more information, available at https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities//

  • Class II

    According to the MDR, the manufacturer must have implemented a quality management system. It does not need to be certified (there is no such requirement), but documentation and processes need to be implemented. Notified Body will during MDR audit also audit the quality management system. 

    The Notified Body must be mentioned on the Declaration of Conformity for all classes besides class I – only for medical devices that are issued on the market as self-declaration.

    These articles can provide you further information: 

    EU MDR – Easy-to-understand basics https://advisera.com/13485academy/what-is-eu-mdr/

    First-, Second- & Third-Party Audits for medical device manufacturers & suppliers https://advisera.com/13485academy/knowledgebase/first-second-third-party-audits-for-medical-device-manufacturers-suppliers/

  • Outsourced Process

    SO 9001:2015 instead of “outsourced process” promotes the wording “externally provided processes”.

    You don’t need to draft an externally provided process. The process is owned and operated by an outside party, what you need is to develop a systematic way to control that process. A process is not a product, so the focus should be on specific process parameters rather than on product characteristics.

    Define mutually recognized and accepted tailor-made service level parameters, as well as monitoring methodology, reporting, and follow-up actions. Those parameters and monitoring methodology should depend on the business risk associated with the service got from an outsourced organization, so they definitely must be customized according to the organization or the types of services needed.

    What you can draft is how that externally provided process is going to be controlled and monitored:

    • What documents need to be created and signed to set service level parameters, roles, responsibilities, and authorities for monitoring, reporting, and consequences?
    • What procedures will be followed? Who will create them? Who will ensure that the outside party is trained on them?
    • Who is going to control, what and with what frequency?
    • What records will be filled and by whom?
    • Who should act in case of doubts or nonconformities?
    • Will second party audits take place? 

    To learn more about externally provided processes you can see these articles:

  • SWOT in HSE management systems

    Even though a SWOT analysis is not a formal requirement of the ISO management system standards, a SWOT analysis which considers the Strengths, Weaknesses, Opportunities and Threats to the business can be useful for any of the ISO management system standards (e.g. ISO 9001, ISO 14001 or ISO 45001). In all cases you need to identify the internal and external issues that affect the management system (clause 4.1 of each standard, and the strengths and weaknesses help with this. In clause 6 you need to look at the risks and opportunities that exist for the management system, and this is covered in the opportunities and threats of the SWOT analysis.

    If you are only implementing ISO 45001, then the standard only asks you to assess the issues, risks and opportunities that affect your OH&S management system, so in this case to meet the requirements of the standard you would only need to consider the SWOT for health & safety. However, as SOWT analyses are generally done at the top level of the organization’s management, if you are using this tool you will likely want to assess everything that could impact the organization, even if you only use some of this information in your OHSMS.

     

    Can learn more on how the SWOT analysis can help in the OHSMS in the article; Aids of SWOT analysis in ISO 45001, https://advisera.com/45001academy/blog/2019/05/27/iso-45001-swot-analysis-what-are-the-benefits/

  • Risk and opportunity assessment

    What is the best time interval to assess/re-assess the risk and opportunity?

    Answer:

    It is difficult to give a straight answer. That will depend on your organization’s context and interested parties. For example, in my country, last December a lot of organizations updated their risks and opportunities register. Then, February and March came, and coronavirus’s lockdowns freeze economies and outdated all those registers.

    So, set a frequency that could match your context and interested parties. For example, technological organizations working at the edge, may need to use shorter intervals. You can set a yearly deep assess/re-assess exercise followed my monthly or quarterly lighter exercises together with monitoring and analysis of performance.

    Do I need to have operational and strategic risk and opportunity assessments separately?

    Answer.

    Technical answer: No, you don’t. It is your organization’s call.

    Experience-based answer: It is better to separate strategic and operational risk and opportunity assessments. That way, participants could work at different abstraction levels without having to continuously change from one to another. Ideally, I recommend an iterative approach to avoid daydreaming and losing contact with the ground.

    • Start with strategic level
    • Use strategic level as an input to the operational level
    • Use the operational level as an input to fine tune the strategic level

    Perhaps the following information about risk and ISO 9001 could be useful for you:

  • ISO 27001 Control

    1. I wanted to know how we can measure the maturity of an ISO control when trying to assess its maturity level with something like CMMI.

    First is important for you to understand the criteria levels adopted, so you can define how you can evidence the control has achieved them. For example, using  the model defined by ISO/IEC 15504:

    • Level 0 – Incomplete: No process implemented or little/no evidence of any systematic achievement of the process purpose (control not implemented/control does not deliver expected results most part of the time)
    • Level 1 – Performed: The process achieves its expected purpose (control deliver expected results most part of the time)
    • Level 3 – Established: The process is implemented using a defined (standard) process that is capable of achieving the expected outcomes (control deliver expected results most part of the time and is performed in a similar way in all places where it is applied )
    • Level 4 – Predictable: The process operates within defined limits to achieve its expected outcomes (control deliver expected results with optimized resources)

    This article will provide you a further explanation about maturity models and ISO 27001:

    2. How can we measure how effective is a control and how mature? Any resources that can help?

    The effectiveness and maturity of control can be measured against business-related objectives and KPIs (e.g., reduced incidents, through incident management, increasing customer satisfaction) and the costs related to its operation (the lower the better).

    This article will provide you a further explanation about ISO 27001 KPIs:

  • Audit checklist

    In case you are preparing for a certification audit, then you need to complete all items related to mandatory requirements (from sections 4 to 10) and all items related to applicable controls defined in the SoA.

    You can sample the checklist when you are preparing for a surveillance audit, because, in this case, you can focus on the items that will be audited.

    This article will provide you a further explanation about certification and surveillance audit:

    This material will also help you regarding audits:
Page 392-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +