Search results

Sending audit checklist to auditee

I must confess that while performing the first internal audits to management systems under implementation, I use to send my audit checklist to the auditee prior to the audit. It is their first experience with an audit, and I want them to be prepared. During the audit they do not comment the checklist, any comment should be done prior to the audit.

You can find more information about checklists below:

- ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
- free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
 - book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

Management of diseases

ISO 45001 is a standard set of requirements to help you implement a good OH&S management system, and as such is not specifically detailed about creating processes to combat an epidemic. The standard does, however, include requirements to identify and prepare for emergency situations. It would be reasonable, for a company to have the need to prepare for their response to a pandemic emergency.

To find out what is included in the standard, see our free whitepaper: Clause-by-clause explanation of
ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

Quality Manual vs. QMS Document vs. Quality Plan

ISO 10005 Quality management systems - Guidelines for quality plans provides guidance on establishing and using quality plans as a means of relating requirements of the process, product, project or contract, to work methods and practices that support product realization. Benefits of establishing a quality plan are increased confidence that requirements will be met, that processes are in control and the motivation that this can give to those involved.

Template content

The list of controls can be found in Annex A of the ISO 27001 standard. Control A.8.2.1 refers to the Classification of information (Information must be classified in terms of predefined requirements).

This list of controls is also visible in Statement of Applicability, which is located on folder 06 Statement of Applicability 

These articles will provide you further explanation about controls selection and the statement of applicability:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

ISO 14001 and life cycle perspectives

I am a very visual person. So, I recommend organizations to draw a flowchart with the main steps in the life cycle numbered. Then, design a table where the first column identifies the main steps and its numbers. The other columns include topics like aspects, impacts, legislation or regulation related, legislation or regulation compliance situation, evaluation parameters and final result with decision upon significance.

Please check below more information about life cycle:

- Article – Lifecycle perspective in ISO 14001:2015 – What does it mean? - https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
- Article - How does product life cycle influence environmental aspects according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
 

Tools for determining external context

When monitoring external context, I recommend considering two kinds of monitoring:

• Strategic and;
• Reactive.

By strategic I mean reviewing the external context when preparing for management review. For this kind of monitoring, I use the PESTL analysis framework in order to support the discipline of questioning the mind around various areas that may affect an organization (politics, economics, social, technology, legislation, and environment). After the PESTL analysis, I recommend collecting positive external issues as opportunities and negative external issues as threats and I organize the information in a SWOT matrix that allows us to determine potential risks and opportunities. Please check these two free webinars where I demonstrate the use of the technique:

• ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
• How to perform management review according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-perform-management-review-according-to-iso-9001-2015-free-webinar-on-demand/

By reactive I mean, between management reviews top management monitors the system’s performance. For example, last Monday I conducted a monthly monitoring meeting at an industrial organization. The first topic was all about the external context. How to minimize disruption due to coronavirus outbreak?

• What should be changed internally to make the organization safer? 
• What kind of social behaviors should be changed internally? 
• What can sales do to reach customers while fairs and expositions are postponed or suppressed? 
• What most common raw materials can be ordered to minimize potential future suppliers’ closings? 
• What can be done financially to prevent cash flow problems?

You can find more information about external context below:
- ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Owner of general procedures

ISO 27001 does not prescribes which role must be responsible for policies and procedures, so an organization can define these responsibilities as better fits it.

Considering that, the "head" of the organization is one good option when the ISMS scope is the entire organization. When the ISMS scope covers only part of the organization, this responsibility can be delegated to the person with the highest hierarchical level in the scope. In both cases, this responsibility can be delegated to the person responsible for the information security, if such a role exists.

Please note that this makes sense only for general policies and procedures. For more operational policies and procedures, a person in charge of particular department or process will be the best owner - e.g. Head of human resources for HR security procedures.

These articles will provide you a further explanation about the top management responsibilities:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

This material can also provide further information:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Ilac compatibility to previous versions and ISO 17025

To answer your question, ILAC G8:03 is obsolete. Only the latest version of ILAC G8 should be referenced,  i.e. ILAC G8:09/2019 Guidelines on Decision Rules and Statements of Conformity.

ILAC, the international organisation for accreditation bodies, produce guidance documents for assessors, regulators, laboratories and customers on the interpretation of accreditation criteria. As the 2017 edition of ISO/IEC 17025 requires decision rules to be agreed on, when a laboratory issues statements of conformity to specifications or standards; ILAC G8 was revised extensively.

The article ISO/IEC 17025:2005 vs. ISO/IEC 17025:2017 revision: What has changed?, may be of interest.  Available at https://advisera.com/17025academy/blog/2019/11/13/iso-17025-2017-vs-iso-17025-2005-key-changes-infographic/

ISO 9001 Clause 8.5.1 f

As far as I remember the wording of “special processes” come from the intial ISO 9001:1987 version. Imagine a manufacturing process where welding takes place, or where a sterilization process takes place. Is it possible to test welding quality? Is it possible to test sterilization effectiveness? Yes. Is it economically sound to do it every time? Normally, no. But organizations want to be sure that welding, sterilization, heat treatment, painting, and other activities are correctly performed. So, they have to validate process conditions and train people to be competent in performing the activities.

You can find more information about special processes below:

- How to establish process validation in the QMS - https://advisera.com/9001academy/blog/2017/01/31/how-to-establish-process-validation-in-the-qms/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

Risk Deviation

"Risk Deviation" is a statistical concept based on the standard variation. It means how volatile is a risk, i.e., the range of possible values, a risk can assume around an expected value.

For example, if you have a risk mean value of 3, with a deviation of +0.2 - 0.2, this means that this risk can vary from 2,8 to 3,2.