Search results

Product safety

Yes, the issue of product safety is related to special characteristics and product safety characteristics are very important for the design and production of the product. These important requirements are determined during the product and production design process.

For example, material hardness and tensile stress are very important safety characteristics for the durability of brake parts. These characteristics come from product design specifications, product drawing, and design FMEA.

In addition, the hardness of the material is also affected by the heat treatment conditions in production, parameters such as temperature and time. Thus, production parameters such as temperature and time of heat treatment are the subject of product safety and they are also special characteristics related to safety for brake parts.

Critical characteristics of the product and production process; it is defined by legal regulations, security and significant important critical characteristics.  All these characteristics have different symbols as ‘’R/S’’,’CC’,’’ SC’’ according to customer-specific requirements.

All these characteristics; It comes from legal regulations, product drawings, product specifications, and production parameters that affect the health of production operators and the durability of the product.

According to the IATF 16949 standard, Product Safety is relating to the design and manufacturing of products to ensure they do not represent harm or hazard to customers. As you know customers are Regulations, end-users (driver and passenger), OEM plants, the other manufacturing plants and production operators. 

The customer should not be at risk of affecting the safety of the product. These special characteristics related to product safety is determined by regulation, product drawing  and which have to be monitored and controlled at the production point affecting the safety of the product.

All these requirements must be transfer via product drawing, material specification, etc to the entire supply chain, and the entire supply chain must comply with the product and production-specific characteristics for product safety.

For more information, please read the following article:

ISO 9001 y codificación del sistema

La norma ISO 9001:2015 no exige ninguna forma obligatoria de codificación. Corresponde a la organización la elección de un sistema para el control de los documentos y registros, que es un requisito obligatorio de la norma aunque no especifica cómo hacerlo.

Respecto al requisito de la cláusula 7.4 - comunicación de la norma ISO 9001:2015, no requiere ser documentado, por lo que depende de la organización si registrar o no la comunicación interna y externa y cómo hacerlo. 

Para más información sobre la codificación y la comunicación en el SGC, vea los siguientes materiales: 

- Articulo - Communication  requirements according to ISO 9001:2015: https://advisera.com/9001academy/blog/2016/11/01/communication-requirements-according-to-iso-9001-2015/

- Artículo - Some tips to make document control more useful for your QMS: https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/

- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

- Libro - Gestión de documentación ISO: una guía en un lenguaje sencillo: https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/

- Curso de Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

Risk Analysis

I am creating documentation for Risk Management, The documentation says risk assessment, I want to know which GAP is missing or we are talking about the same. The requirement to be met is: Implement a formal information risk management process that includes the identification and classification of information assets, risk impact, risk probability and risk scores with quantitative definitions, risk treatments, definition of plans treatment, formal follow-ups, implementation of steering committee meetings and cycle re-visit in accordance with ISO-27005 and execute the first annual risk assessment

 I'm assuming you are referring to the ISO 27001/ISO 22301 Risk Assessment Toolkit when you say "La documentación dice evaluación de riesgo" (The documentation says risk assessment).

Considering that, the toolkit covers all requirements for risk assessment and treatment defined by ISO 27001, which also recommends the adoption of ISO 27005 (there are no GAPs in the documentation). In the toolkit, you will find the following documents:

• Risk Assessment and Risk Treatment Methodology
• Risk Assessment Table
• Risk Treatment Table
• Risk Assessment and Treatment Report
• Statement of Applicability
• Risk Treatment Plan

To see how the documents look like, please access the free demo at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

This article will provide you further explanation about risk management for ISO 27001:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

Audit checklist points

Considering ISO 27001, please note that the activities users can perform remotely from home is based primarily on the management decision/business need, while the safeguards are determined according to the results of the risk assessment - the audit checklist must take all of these into account.

Normally you should consider at least these points for an audit checklist:
- who may telework (e.g., IT staff, sellers, managers on travel, etc.)
- which services are available for teleworkers (e.g., development environment, invoicing systems, etc.)
- which information can be accessed through telework (e.g., performance dashboards, list of customers, etc.); for more information, see: Information classification according to ISO 27001.
- which access controls shall be applied before access to information and resources is granted (e.g., password, two-factor authentication, use of VPN on communication channels, etc.); for more information, see: How to manage the security of network services according to ISO 27001 A.13.1.2.
- how devices and remote sites should be configured, protected, and used (e.g., devices with cryptography, no use of shared rooms to work, information backup, etc.)

These articles will provide you further explanation about developing this checklist:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
- What to include in an ISO 27001 remote access policy https://advisera.com/27001academy/blog/2019/04/23/iso-27001-remote-access-policy-how-to-develop-it/

Examples of environmental objectives for the painting department

Good environmental objectives stem from the environmental policy. A good environmental policy includes the three commitments from ISO 14001:2015 (Continual improvement, Prevention of pollution, Compliance with legal and other requirements) and sets priorities for environmental improvement.

What are the environmental improvement priorities? After the initial environmental survey is made, what are the most significant environmental aspects? In some organizations it may be the amount of hazardous waste they generate, in others it may be air emissions and its quality, in others it may be energy consumption.

For example, in the last EMS implementation project where I worked, the first version of the environmental policy had 4 vectors:

1. Improve air emissions;
2. Reduce environmental noise;
3. Reduce consumption of raw materials per unit produced; and
4. Increase energy efficiency. 

When the EMS reached certification, emissions and noise already complied with the legislation and the environmental policy was updated to focus on points 3 and 4

Goal- general orientation – Example – Improve air emissions 

Objective – more detailed information – Example – Reduce organic volatile compounds in our painting department

Target - clear success criteria, how much, and when – Example - Reduce organic volatile compounds in our painting department by 20% in the next 12 months.

The following material will provide you information about environmental policy and objectives:

• How to write an ISO 14001 environmental policy - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-write-an-iso-14001-environmental-policy/ 
• How to Use Good Environmental Objectives - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-use-good-environmental-objectives/ 
• Examples of ISO 14001 objectives based on the different company sizes - https://advisera.com/14001academy/blog/2019/10/22/iso-14001-objectives-examples-for-different-company-sizes/ 
• Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/ 
• Article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/ 
• You can watch free webinars on demand – ISO 14001Webinars - https://advisera.com/14001academy/webinars/ 
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/ 
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

How to conduct an internal audit

1. I invite you to watch the free webinar on-demand - How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar/
2. When auditing an immature environmental management system internal audits can be very similar to external audits, but as the system matures it makes sense for internal audits to devote more time to assess the effectiveness of processes and systems 
3. You can check the previews for internal audits at Advisera’s ISO 14001:2015 Documentation Toolkit - https://advisera.com/14001academy/iso-14001-documentation-toolkit/
4. You can check the previews for nonconformities at Advisera’s ISO 14001:2015 Documentation Toolkit

You can find more information about audits below:

• Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
• How to make an ISO 14001 internal audit checklist - https://advisera.com/14001academy/blog/2016/06/27/how-to-make-an-iso-14001-internal-audit-checklist/
• Using internal audits to drive real improvement in ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/using-internal-audits-to-drive-real-improvement-in-iso-140012015/
• Free online training ISO 14001:2015 Internal Auditor Course – https://advisera.com/training/iso-14001-internal-auditor-course/
• Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

Assuring impartiality and confidentiality

Impartiality and confidentiality are two requirements that are vital for maintaining the trust and confidence that the users of tests and calibrations place in laboratories. In the context of an accredited internal company laboratory, companywide policies should be established and adopted, setting a course of action across the company to safeguard confidentiality and impartiality of the laboratory.  

The extent to which impartiality and confidentiality need to be addressed will depend on your company structure. For example, if the company is small and there are shared incentives or resources between production and the quality assurance department or laboratory, either involving personnel or equipment; there is a threat to the impartiality of the laboratory. Identify possible confidentiality and impartiality issues as part of addressing risks and opportunities (another requirement of ISO 17025:2017); and using a Registry of Key Risk and Opportunities. Look at the organisational structure, processes and possible risks. For example, to minimise confidentiality risks, the laboratory should only reveal results and information to authorised personnel. To safeguard impartiality, identify possible commercial, financial, or other pressures from other departments, that may compromise activities and the quality of results. Consider internal issues, personal relationships, or other conflicts of interest. These risks must be addressed and resolved.

For more information, have a look at the advice answers

• Compliance with the ISO/IEC 17025:2017 requirement for Impartiality - https://community.advisera.com/topic/compliance-with-the-isoiec-170252017-requirement-for-impartiality/
• Procedure for impartiality - https://community.advisera.com/topic/procedure-for-impartiality/

The ISO 17025 document template: Registry of Key Risks and Opportunities, is available for purchase -https://advisera.com/17025academy/documentation/registry-of-key-risks-and-opportunities/

Risk assessment

https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ does not address question 2

First of all, thanks for the feedback.

The issue about exiting controls is, in fact, missing in the step 2 risk assessment implementation. The proper text is:

"Once you know the rules, you can start finding out which potential problems could happen to you – you need to list all your assets, then threats and vulnerabilities related to those assets, as well as controls you already have implemented, assess the impact and likelihood for each combination of assets/threats/vulnerabilities, considering controls you already have in place, and finally, calculate the level of risk."

We will provide this adjustment ASAP.

With regards to ISO 27001, what is the correct sequence in evaluating risk vs current controls?

Please note that there is no sequence here.

Since current controls have a direct influence on impact and likelihood, the components of the risk, the risk, and current controls have to be assessed at the same time.

For example for the risk of data loss, if you already have a backup solution implemented, it does not make sense to evaluate the risk of data loss without considering the backup. This would result in an unrealistic risk and unnecessary work to evaluate the risk again, now considering the control. The proper approach is to consider the risk of data loss considering the effects of the backup solution.

Internal audit

1. Must first internal audit be executed before certificate audit?

Internal audit is a mandatory requirement of ISO 27001 (clause 9.2), so at least one audit cycle, covering all ISO 27001 requirements must be performed before going for a certification audit.

For further information, see:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

This material can also help you:

• ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/

2.  If so, must it cover every area or is it ok to audit some areas after certification audit?

For certification purposes, the internal audit must cover the whole ISMS scope before the certification audit.

ISO 9001 KPIs

Please consider our free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 -

 https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/ There you can find the rationale for developing KPIs both for processes and quality objectives.

The following material will provide you information about indicators:

• Analysis of measuring and monitoring requirements in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/analysis-of-measuring-and-monitoring-requirements-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/