Search results

Annex A

In general, justifications for applicability, or not, of controls from ISO 27001 Annex A are based on perceived risks and legal requirements (e.g., laws, contracts, or regulations).

Considering that, these are some examples:

• Control A.x.x is applicable to treat risks <include there the ID of the risks from the risk treatment table>
• Control A.x.x is applicable to comply with a legal requirement <include here the name/number of the law, regulation or contract>
• Control A.x.x id not applicable because there is no unacceptable risk or legal requirements, that demands the implementation of this control.

Please note that included in the toolkit you have access to a video tutorial that can help you with the Statement of Applicability,  which provides examples with real data.

Procedures for IATF

The procedure writing method for IATF 16949:2016 standard is not different from ISO 9001:2015 standard. 

As you know a procedure states how the process needs to be done. 

A procedure offers a general description of how a company meets a process requirement and the procedure consists of more specifics. 

This includes scope, objective, responsibilities, references, application, specific tools, methods, measurements, and historical change of procedure.

There are 7 steps in writing quality management system procedures for ISO 9001:2015 and IATF 16949:2016 standards. 

These 7 procedure writing steps are listed below, respectively.

1) Decide on the process limits.
2) Gather the information.
3) Align with other documents and processes.
4) Define your document structure.
5) Write your document.
6) Get approval for your document. 
7) Train the relevant employees. 
 

For more information please to read https://advisera.com/9001academy/blog/2015/03/10/7-steps-in-writing-qms-policies-and-procedures-for-iso-9001/  and please visit our IATF 16949:2016 Documentation Toolkit ‘’ https://advisera.com/16949academy/iatf-16949-2016-documentation-toolkit/

ISO Obsoleted Documents

If a document is made obsolete, it is replaced by a new version. If you later decide to return to use the structure or content that has become obsolete, you still must update the code that identifies the version again.

Something like this:

Whenever you change a document you have to update the version counter. 

You can find more information below:

• How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
   

Context & Interested Parties External and internal issue UNDER 45001

Just as everything in the ISO 45001 standard, the internal and external issues from clause 4.1 need to be unique to the organization, and as such I really can’t list out the issues that will affect your company specifically. Additionally, the ISO 45001 standard is talking about top-level internal and external issues, much like those that senior management might identify in a SWOT analysis, and not necessarily the issues of individual processes or necessarily linked to interested parties..

You can learn more about identifying these issues in the article: Defining the context of the organization according to ISO 45001, https://advisera.com/45001academy/blog/2016/02/03/defining-the-context-of-the-organization-according-to-iso-45001/

ISO 13485 certification

These masks are class I medical devices, so they do not need a certified CE mark. It is enough that manufacturers have ISO 13485:2016 and masks must be done in accordance with ISO 14683:2014 Medical face masks — Requirements and test methods. Proof that these masks are prepared according to this standard must be written on the packaging and in Declaration of conformity which must provide the manufacturer.

Integrated Management System

1. We have integrated the 3 risk registers and have been having monthly risk meetings but we would like to find out how often would the SOA change from the ISO 27001 perspective?  Would it be after each risk meeting?  What happens if a control has been implemented and another risk is identified to the same control? 

 ISO 27001 does not prescribe how often the SoA should change, but you should consider updating the SoA every time there is a need for significant change in applicable controls (e.g., a new control is included, a control is excluded from SoA, an implementation method is changed, etc.). This need can come not only from risk meetings but also from management review, non-conformity treatment, etc.

In case a control has been implemented and another risk is identified to the same control, you have to evaluate the impact of not treating this risk until the next planned review of the implemented control to decide if an early change is needed.

For further information:

• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

2. We are approaching our surveillance audit soon and would like to find out what an auditor would typically look out for during the surveillance audit.

The surveillance audit is performed the same way as a certification audit. The difference is that it covers only part of the ISMS scope (evidence of the fulfillment of the mandatory requirements and of part of the applicable controls in a sample of the process in the ISMS scope).

These materials will provide you a further explanation about surveillance audits:

• Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
• What to expect at the ISO certification audit: What the auditor can and cannot do https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit

CISA or CISM course

Good and effective content and informative one too.

Management review

If you implemented a quality management system and want to keep it certified, you have to perform at least a yearly management review. That requirement is not included in ISO 9001:2015 but is included in the contract with the certification body. Same applies to internal audits, certification bodies expect that the whole system must be audit at least once per year.

You can find more information about management review in the following links:

• How to make Management Review more useful in the QMS - https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/
• How to Make Management Review More Practical - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/ 
• Free webinar – How to perform management review according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-perform-management-review-according-to-iso-9001-2015-free-webinar-on-demand/
• ISO 9001 document template: Procedure for Management Review - https://advisera.com/9001academy/documentation/procedure-management-review/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Control of infrastructure

Considering software validation, in requirement 4.1.6 of ISO 13485:2016 that activities associated with software validation must be proportional to the risk associated with the use of the software. Therefore, it is up to you to define which software can influence both quality of the medical device and the management system.  

Considering the maintenance of the infrastructure, in requirement 6.3 Infrastructure of ISO 13485:2016 is stated that organization must document requirements and records for the maintenance activity when such maintenance or lack of it, can influence the product quality. These requirements must definitively apply to equipment used in production (e.g. different machines used in the production of medical device: molding machine, packaging machine), control of the work environment (e.g. equipment for measuring temperature and humidity), and monitoring and measurement (e.g. scales, thermometers, pressure valves).

Therefore, no, you do not need records for each computer and each desk, rather for those that can on any way influence on the quality of your device and/or service (e.g. following software definitely need validation: software used in the calibration of equipment, software that manage production, software that manage quantities in storage and manages invoices and delivery notes). 

Methods verification

You asked

Which parameters will be verified for standard methods?

Verification of a standard method means that you are in fact confirming that your laboratory can achieve the expected (reported) performance of the standardised method. i.e. you are justified to apply that standard method for your purpose. In certain sectors the parameters are defined in regulations or guidelines. There are, in principle a number of parameters that are used as measure of performance. These include, but not solely, bias; selectivity; measurement range with limit of linearity, limit of detection and limit of quantification; ruggedness (robustness); and measurement uncertainty.

The parameters depend on the technique and intended use the test result. For example pH and GC-MS or HPLC by their principle will have different performance parameters.

Published standardised procedures would already be validated  for given matrix types and working range. The intended use, i.e. your laboratory’s application of the standard method must be considered. In the context of ISO 17025 technical competency assessment, all these parameters should be evaluated unless you are justified not to. This means that, for example, your laboratory would not need to do experimentation to show selectivity of a chromatography column and ruggedness if used within the scope of the method. However if you the matrix was ,say an unfiltered wine and the standard method did not cover this matrix in the studies, you would have to assess the effect of possible interferences

You also asked

About quality data control, which procedure can you suggest to me?

Here again it depends on the technique and purpose of the test. For example there may be instrument fluctuations and the results could be subject to the sensitivity of the method. The controls must be chosen considering the risks to maintaining consistent performance of your validated method. 
Various monitoring measures can be made to trend random and systematic errors; for example the use of Quality control charts. Internal controls can include analysing replicate samples, various blanks (sample and reagent blanks), reference standards, spiked solution or material, and inhouse control material (of well-defined analytes of interest) in the same batch analysis as unknown samples.

Have  a look at the ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/. It includes the procedure for validation and verification of methods, named Test and Calibration Method Procedure, along a Test Method Development, Verification and Validation Register and Test Method Development, Verification and Validation Record. The techniques for method validation are listed as well as the required records. It is the responsibility of the laboratory to choose the suitable technique, plan experiments, reference sector specific guidelines and meet specific regulatory and accreditation body requirements. The procedure is also available separately at https://advisera.com/17025academy/documentation/test-and-calibration-method-procedure/