Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Clause 7.5.3.2 external documents

    The answer to that question will depend on each organization. The most common external documents are standards, legislation and regulation.

    Please check this article that develops the theme more profoundly - What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/

  • Process mapping VS Process flow chart

    Let me start with the management system definition according to ISO 9000:2015. Something like, a system to establish a policy, translate it into a set of objectives and work to meet them.

    https://www.screencast.com/users/ccruz5284/folders/Default/media/cd27823f-f5c2-40a3-8f31-5c9b17abdd25 

    ISO 9001:2015 promotes the use of the process approach. Consistent and predictable results are achieved more effectively and efficiently when everyday activities are seen and managed as interrelated processes that work as a coherent system.

    So, if you open that black box called “System” you will see a set of interrelated processes:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/15ce1149-a13a-4b15-ae5d-3d47f3770c2b 

    In our webinar - Free webinar – The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ - we use this example for process mapping:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/682a30fb-ab44-4b94-9d5e-a5947da139a7 

    Process mapping is about designing a model of how an organization works as a set of interrelated processes.

    Now, you want to zoom each process and see how work is actually done. So, for each process you design a flow chart. In the same webinar, we use the following example:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/f3c7f757-6356-4d5b-83e4-bcec5c23d474 

    While process mapping is about the flow inter-processes, flowcharting is about the flow intra-process.

    You can find more information below:

     

  • Supplier classification

    What does your organization expect from a supplier?

    Do they comply with quality? Do they deliver on time? These are topics relevant for all kinds of suppliers.

    What about their price? These are topics relevant if your organization competes on price.

    Are they flexible enough? Do they allow small quantities and variety? These are topics relevant if your organization expects service.

    Do they deliver innovation or design? Are they fast with novelties? These are topics relevant if your organization expects premium offers.

    You can use an evaluation based on the opinion of those that contact with suppliers, or another based on more objective criteria like number of occurrences per number of orders.

    You can get much more information in the following links:

  • Retention of documented information

    According to ISO 9001:2015 there is mandatory documents or records concerning clause 8.4.2. I recommend organizations to have a plan about how to control subcontractors, and products or services received from suppliers. I also recommend organizations to keep records that evidence control of subcontractors and suppliers.

    You can find more information below:

  • IT Resilience Requirements

    The best way to make IT Resilience Requirements for IT and for Projects comprehensive would be to base it on a risk assessment and risk treatment process because this way it would cover the aspects that may disrupt IT and project activities.

    To see how a risk assessment and risk treatment looks like, please see the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    This article will provide you a further explanation about risk assessment:

    This material will provide you a further explanation about risk assessment:

  • ISO 9001 doubts

    1. Please explain what is contingency action as per 8.2.1?

    Answer:

    A contingent action is an action from a contingency plan. A contingency plan helps an organization respond effectively to an important event that can be foreseen. For example, supply a customer by air freight when goods cannot be delivered by normal truck due to a severe storm.

    2. Please explain "Organization can meet the claims for Products & services it offered" as per 8.2.2

    Answer:

    Clause 8.2.2 a) is about specifications. They are written.

    Clause 8.2.2 b) is about allegations. For example, claiming “with our product you will reduce your energy consumption by 25%”. Claims that depend not only of the product or service per se but also from the customer’s context.

    3. Design engineer can perform Internal Audit of Design Department in same organization.? I think it's a violation of 9.2.2 (c). Please confirm.

    Answer:

    Yes, it is.

    4. Customer satisfaction to be monitored as per 9.1.2. No Documented information to be retained. Is it so.?

    Answer:

    There is no mandatory record to be kept according to ISO 9001:2015. As a good practice I recommend organizations to keep it.

    5. I couldn't find 'preventive action' word. Is it removed from current version.? Please confirm.

    Answer:

    Yes, it was removed from ISO 9001:2015. In a certain way it is included, without the wording, in the risk based approach.

    6. What does mean by "Organization shall ensure"....? I think documented information to be maintained whenever require but if only above statement is mentioned then no requirement of maintaining the documented information. Is it correct?

    Answer:

    “Shall” means it is a requirement.

    When we read “shall maintain documented information” it means there must be a document. “Maintain” is the key word.

    When we read “shall retain documented information” it means there must be a record. “Retain” is the key word.

    You can find more information below:

  • Postponing Management Review

    According to the ISO 13485:2016 requirement 5.6.1 Management review General, is stated that Top management must review management system at documented planned intervals to ensure that the system is stable, adequate and efficient. Therefore, if your planned interval is one year, and usually it is done in May, than you should do it in May. If you had shorter interval of doing the management review, then it would be acceptable to postpone it, but since one year is a very long period of time, it is not advisable to postpone it.

    For more information How to perform management review according to ISO 13485, please read an article on the following link: 

    https://advisera.com/13485academy/blog/2017/11/09/how-to-perform-management-review-according-to-iso-13485/

  • The travel agencies services for the employees of other company

    Your company is the data controller of your employees’ data because your company determines the purposes and means of data processing (Which data? Transferred to whom? Why? What security measures have been taken?).In fact, according to Article 4 GDPR, the data controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” while the data processor “processes personal data on behalf of the controller”.Therefore, your company selects the winning travel agency and transfers employees’ data, while the travel agency will process those data on your behalf by organizing the travels for your employees.

    Here you can find some useful information:EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

    In case of need, here you can find our template of data processor agreement for suppliers:Supplier Data Processing Agreement https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/

    You can also consider enrolling in this free online training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course// 

  • Class II device packaging services, CE mark

    I work for a contract packaging house that is ISO13485:2016. I have a customer that has a Class II device they would like to package with us. They will be getting the item certified to EU standards to get the CE mark for it. The question I have is, does our 13485 ISO cert cover us to support the customer on this? Since we do not hold the 510k, but would be a part of the supply chain, is any additional certification needed for us to primary and secondarily package this Class II item?

  • ISO 27001 implementation

    1. I’ve got a question on perspective. As we fill out some of this documentation, specifically as we were filling out the Statement of Applicability, we were going down the first column deciding if certain annex controls were applicable to us. We found that we were going back and forth on whether a control is applicable or not based on the perspective of looking at it from an *** perspective or from the customer’s perspective.
    For example, A.7.2.2 “Information security awareness, education and training”. If I look at that from an *** perspective, we’re obviously going to have that policy in place at the corporate level, but do we need one at the level of Managed Services? And is this applicable to us because we wouldn’t have any sort of information security awareness training for customers of ours, nor should they expect that for the services we’re offering. So how are we made to look at this?

    First is important to note that the extent of application of control will depend on your scope of the ISMS.

    Considering that, in case your customers are included in the ISMS scope, then control A.7.2.2 will be applicable both to your employees and to your customers. In general, what happens is that only customer's information is included in the scope, not customer's personnel, then control A.7.2.2 is applicable only to the organization's employees.

    For further information, see:

    2. There’s a lot of business continuity stuff listed in the templates, but Business Continuity ISO certification is not a part of our certification process from our external auditing team. So do we still need to complete all of the business continuity references if we aren’t going to be getting the certification? To be sure we more than likely have that at our corporate level, but again, this is going to be focused on one service we are offering.

    If you are going only for ISO 27001 certification, to cover requirements from A.17 controls from Annex A, you only need the Disaster Recovery Plan, located in folder 08 Annex A >> A.17 Business Continuity >> 04 Business Continuity Plan

    3.  As my colleague mentioned previously, we’ve got several lines of business at ***. Should we treat all those lines of business not directly associated with our Managed Services team as a supplier? For example, *** is our head of HR. Would he need to be listed as a “supplier” since he doesn’t work inside our *** group?

    Lines of business that are not included in the ISMS scope but have relations with it can be considered as suppliers if they provide resources for the ISMS scope.

    The above-mentioned article about defining the ISMS scope can provide additional information.

    4. Risk Register – how detailed do we need to get? Is “laptops” good enough to put on one line or do we need to list out all the individual laptops we’ll be using in the process? Same for offices, etc. Is it okay to lump groups of things together or do we need to list them all individually?

    ISO 27001 does not prescribe the detailed level of the risk register, so organizations can adopt the level that better suits them.

    Regarding assets, you can use a single item like "laptops" to refer to all laptops in your organization in the risk assessment process, but please note that, if you have a situation where different groups of laptops need to be treated differently, you can adopt multiple items, like "development laptops", "management laptops", etc.

    For further information, see:

    By the way, included in the toolkit you bought you have access to a video tutorial that can guide you in filling out the risk assessment table. I recommend you to see the available video tutorial before writing documents because they present examples with real data may clarify your doubts.
Page 405-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +