Search results

Machine vs process validation

Process verification is covered in the AS9100 Rev D specification in clause 8.5.1.3, production process verification, and requires that you assess the ability of your processes to meet the product and service requirements by taking a representative item from the first production run to verify that all the production processes to create that item meets all requirements. This is also called first article inspection (FAI), and for more information you can use AS9102 which is referenced in Annex C (remember, AS9102 is a suggested tool, and not a requirement of AS9100). The AS9100 standard does not dictate what forms or records to keep for this, but if you use AS9102 there are forms included in there. The decision of what records to keep are up to your organization and your customers.

As for equipment verification, the AS9100 standard does not include requirements for verification of equipment that you use in your processes outside of the clause above. If you are talking about making equipment, clause 8.3.4.1 of the standard discusses planning tests for validation and verification of the product or service you design. If you were talking about equipment verification as your product or service, then this section talks about the requirements for the test plans and test procedures, but also does not have any requirements for the format of the documentation.

In short, there is no mandated documents to keep on these items, so it is up to you to define this with your customers. For more on the FAI process, see the article: How does First Article Inspection fit into AS9100 Rev D?, https://advisera.com/9100academy/blog/2017/11/07/how-does-first-article-inspection-fit-into-as9100-rev-d/

If you need some help with your implementation, our book may help: Applying AS9100 Rev D, https://advisera.com/books/applying-as9100-rev-d/

Accrediting part of a company

My question is based on ISO 9001 accreditation, is it possible for a division of a company to gain ISO 9001?

Answer:

Certification bodies are accredited by accreditation bodies. Certification bodies certify organizations. Yes, it is possible to certify just a division of a company or even a line of products of a company. We are talking about the quality management system scope definition.

what would be the main requirements for a Quality Management System?

Answer:

A quality management system is a whole. I cannot say that some clauses are more important than others, all clauses are important. What can happen is that the adoption of a certain scope can make some clauses not applicable, in that case those clauses can be excluded.

You can find more information about scope definition in the following links:

- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- What clauses can be excluded in ISO 9001:2015? https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope -
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Liderazgo en la gestión de calidad y medio ambiente

El liderazgo es uno de los requisitos que la organización tiene que demostrar dentro de su SGC y del SGA. Para ello le recomiendo que desde el comiezo presente los beneficios que tiene la implementación de ISO 9001:2015 y de ISO 14001:2015 en los procesos de la organización así como los recursos que van a ser necesarios, no sólo económicos sino de personal para que realmente exista ese compromiso. Puede por ejemplo llevar a cabo una reunión con la dirección en la que realice una presentación con esos beneficios, los recursos y las responsabilidades necesarisas en el proyecto.

Para más información sobre el liderazgo en la gestión de la calidad y medio ambiente puede ver los siguientes materiales: 

- Artículo - Cómo cumplir con los nuevos requerimientos de liderazgo en la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-cumplir-con-los-nuevos-requerimientos-de-liderazgo-en-la-iso-90012015/

- Artículo - Seis beneficios clave de la implementación de ISO 9001: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/seis-beneficios-clave-de-la-implementacion-de-iso-9001/

- Artículo - Seis beneficios clave de la ISO 14001: https://advisera.com/14001academy/es/knowledgebase/6-beneficios-clave-de-la-iso-14001/

- Informe - How can ISO 9001 help your business grow: https://info.advisera.com/9001academy/free-download/how-can-iso-9001-help-your-business-grow

- Informe - How can ISO 14001 help your business grow: https://info.advisera.com/14001academy/free-download/how-can-iso-14001-help-your-business-grow

- Presentación - Why ISO 9001:2015 awareness presentation: https://info.advisera.com/9001academy/free-download/why-iso-9001-2015-awareness-presentation

- Presentación - Why ISO 14001:2015 awareness presentation: https://info.advisera.com/14001academy/free-download/why-iso-14001-awareness-presentation

- Curso gratuito - Fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

ISO 27001 documentation

ISO 27001 does not prescribe how documentation must be elaborated, so organizations can develop them the way it best suits their needs.

The main criteria to decide to merge documents or not are if they have similar purposes and if by merging them they would not become a document too big to understand and read. So, in this particular case, if your single document does not become too big to use and manage it may be best to merge them, so you have fewer documents to manage in your ISMS.

These articles will provide you a further explanation about developing policies:

• One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
• How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

ISMS audit results for ISAE 3402 Type II Audit/Report

We're not experts in this field, but in general ISAE3402 Type II Audit/Report (SOC 2) reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy, and considering the ISMS scope is related to the scope of the ISA3402 report, it seems perfectly possible to use ISMS outputs to your ISA3402 report.

The ISMS provides a framework for implementation, operation, and improvement of information security, while ISA3402 is a verification that implemented measures are working as expected.

This information (from the official site of American Institute of CPAs) about SOC 2 and ISO 27001 can be interesting for you: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/othermapping/trust-services-map-to-iso-27001.xlsx

ISMS operation before certification

This timing is different from one certification body to another - some certification bodies allow you to go for the certification after you finish the internal audit, management review, and close most of your corrective actions; others require a 3 months period of ISMS operation before you can start the certification process.

So the point is - you should ask for quotes from a couple of certification bodies, and ask them to specify their requirements.

These articles will help you:

• Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
• Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/27001academy/blog/2015/06/22/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

Risk Assessment

1. We are preparing this table for the first time. When listing an asset, is it ok to use a generic category for the asset so that it includes multiple real assets, or must each real asset be listed individually? For example, if I have 10 desktop computers, must each be listed separately or can I make one entry for "desktop computer" assuming the risks are the same for all 10?

ISO 27001 does not prescribe how to perform risk assessment, only that it must be performed, so organizations are free to perform it the way it better suits them.

In fact, grouping assets with similar risks in a single category, as you exemplified, is a common practice, and it is perfectly acceptable by certification auditors.

Please note that included in your toolkit you have access to a video tutorial that can help you fill in the risk assessment table, presenting examples with real data.

My second question is about the existing control column. Is it ok to list a preventative measure that has not been documented in a policy, or must it be an explicit control that is documented? For example, if I have a server that is vulnerable to power failure, can I list the existing control simply as "the server is plugged into a UPS" or must I site a policy document that indicates all servers must be plugged into a UPS? Again, this is the first time this document is being written, and we understand that we will need documented controls for the Risk Treatment Table.

As long as the control is implemented, there is no problem in mentioning it in the existing control column in the risk assessment table, even if it is not documented at the moment the risk assessment was performed.

Please note that ISO 27001 does not require you to write documents for each and every control. Only some controls will need to be documented later on as part of your ISO 27001 implementation - see the PDF document "List of documents" in the root folder of your toolkit to see which documents (and their related controls) need to be written down.

 For further information, see:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Audit scope

Having AS9100 scope for one aerospace product line and ISO 9001 scope for other parts of your organization is an acceptable thing to do, and I understand why you would want to do so. Just ensure you talk to your certification body about the scope change.

Internal and external factors and risk based thinking

Examples of internal issues include: organizational structure, strategic direction, capabilities of employees, poor customer satisfaction, obsolete equipment, organizational culture, contractual agreements, loss of key personnel, etc

Examples of external issues can be: oil price changes, political stability, changes in trade agreements, changes in exchange rates, technology shifts, loss of main supplier, changes in laws and regulations, etc.

Examples of risks: Key supplier fails because it goes bankupt, limited raw materials available due to natural disaster, employee turnover is high, etc. 

The following material will provide you more information about the context of the organization and risk based thinking:

- How to identify the context of the organization in ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/                                                                                                                 - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Please check this free webinar on demand - Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 in the service industry

All elements of ISO 9001 are applicable in the service industry. ISO 9001 is written in a language to make it applicable both to product production or to service provision. 

You can find more information about ISO 9001 implementation in the following links:

- What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Managing Production and Service Provision using ISO 9001 - https://advisera.com/9001academy/blog/2017/11/21/managing-production-and-service-provision-using-iso-9001/
- Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/