Search results

IATF 16949 vs ISO 9001 lead auditor

ISO9001:2015 is the base of IATF16949:2016. An IATF auditor, first of all, has to reach the qualification of ISO9001. It is recommended as a first step to achieve the IATF16949 lead auditor qualification.

IATF16949:2016 is a quality management system only applied to the automotive industry. Only the supplier’s part of the automotive supply chain are eligible to be IATF certified. With the knowledge of ISO9001 will be much easier to cover the IATF 16949 additional requirements. 

Advisera have available the following courses:

ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
ISO 9001 Lead auditor course: https://advisera.com/training/iso-9001-lead-auditor-course/

ISO 9001 / Quality roles for iso requirements

Anyone can implement and manage an ISO 9001 quality management system. The only requirements are based on the needs of the task: to have some knowledge about the standard, being able to promote teamwork and being able to have some influence over managers. ISO 9001:2015 no longer mentions the management representative role, because it wants to give much more importance to top management commitment with the quality management system. So, be sure that top management works together with that supervisor, particularly when he/she needs to have authority over managers.

The following material will provide you more information about the management representative:

- What is the job of the quality management representative? - https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/
- What will be the destiny of the management representative in the new ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
- Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 / Procedure vs processes

Procedures are not mandatory documents in ISO 9001:2015 anymore. But even though you don´t need to write any procedure, they can be very useful for the organization, since procedures can help you to conduct processes in a sistematically way and therefore, you will be able to compare results correctly. 

Regarding the procedure for design and development you can adapt to your own situation, as you mention it can have dependencies with other processes or be based on one main process. 

Here you can find the mandatory documents and records that you need to create in order to comply with ISO 9001:2015 requirements - List of mandatory documents required by ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

The following material will provide you more information about procedures and mandatory documents:

- Some tips to make Document Control more useful for your QMS: https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
- How to structure quality management system documentation: https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- Free online training ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
- Book - Managing ISO Documentation: A Plain English Guide: https://advisera.com/books/managing-iso-documentation-plain-english-guide/
 

Assets detail level and segregation of duties

1. I am struggling with 10.1 Risk assessment table level of details listing. Does the standard defines details assets or more importantly what is required in an audit. The catalog examples in the toolkit varies to very detailed to more general ones. For example can one asset be development operations system or do we need to break it down more in details like (eclipse as IDE, Git for version control, Jenkins for continues integration, Jira as task management, etc.). Similar question is our SaaS service can I describe it as one asset even though it has several technical components inside.

ISO 27001 does not prescribe a detail level for assets, so organizations can define the detail level that best suits them. This is generally a balance between the administrative effort and the need for information to ensure proper security. For example, you do not need to record organizations notebooks as individual assets (you can add an asset called "notebook"), but if they have specific purposes with different risk levels you can use specific assets like "notebook", "development notebook", and "finance notebook". The same concept applies to a SaaS service.

Included in the toolkit you bought you have access to a tutorial that can help you fill in the risk assessment.

2. Second question I have related to the separation of duties because we simply do not have enough development people to make strict roles between people because same people do make development and deploy version in production. Of course, there is well defined process to test and accept release candidate to be put in production.

To implement separation of duties it is not mandatory to define strict roles (e.g., to have a developer and a tester), you only have to ensure that a single person does not perform the whole process. For example, if you have two developers, one can make the development and deployment of a system, and the other can perform test and acceptance of release candidate of this same system and you can change the places for another system.

If this arrangement is not possible, you can consider compensation controls like:
- Monitoring activities
- Audit trails
- Management supervision

This article will provide you a further explanation about segregation of duties:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

Clause 4.4.1

"Does your IATF package include the format and metrics for these 16 processes?

IATF requires at 5.1.1.2 that top management shall review the effectiveness and efficiency of the Quality Management System. It is mandatory measures process effectiveness for all organizational processes, and measures the efficiency for product realization processes (see 9.3.2.1).  All documented processes according 4.4.1, with inputs and outputs should have performance indicators accordingly (per example metrics). It is acceptable for an organization to group multiple documented processes into one (or more) processes, per example “Engineering Specification” (7.5.3.2.2) could be grouped with Design and Development process and documented based on documented procedure approach. For these one, metrics is not mandatory. 

For each of the 16 "documented processes" do I have to show a metric for that process that falls under clause 4.4.1?"

You can download a free demo of the IATF 16949 Documentation Toolkit where you will be able to see templates of all documents included in the toolkit, but also a document called 'List of Documents' that displays which documents are mandatory and which are optional.

ISO 27001 data center control requirements

ISO 27001 does not prescribe specific controls for data centers, although controls from ISO 27001 Annex A can be applied to data centers as well. To identify which controls would be applicable to your data center you need to perform a risk assessment process. Some common adopted controls are:
- Physical Access Control
- Uninterruptible Power Supply (UPS)
- Audit Logs of all user activities and monitoring the same

For more information, see:
- The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/

 For requirements for a data center, you can take a look at the ANSI/TIA-942 standard. Although it is not ISO (it is an American National Standard) it provides several specifications considering availability and other security needs.

This article will provide you a further explanation about controls definition:
 - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ 
- Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/

 These materials will also help you regarding controls definition:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Implementing ISO 27001 in different countries

For certification purposes, you can either have a single certificate covering the three sites or one certification for each site, but regardless of the adopted approach all sites will have to be audited to achieve certification.

Considering that all sites have to be audited, the best course of action would be to certificate each site at a time. This way you can better plan your expenses with implementation, and a problem with one certified company wouldn't affect the others.

These articles will provide you further explanation about ISO 27001 implementation:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 14001 Effectiveness - PEAR (Proess Effectiveness rating)

ISO 14001:2015 does not have an equivalent process to AS9100 Rev D for measuring process effectiveness. Likewise, there is no equivalent to AS9101 scoring in the certification audit. ISO 14001 does include a bibliography which includes ISO 14031, Environmental management – Environmental performance evaluation – Guidelines, however, the use of this standard is not mandatory for the EMS. So, it is up to you to determine how you will monitor and measure process effectiveness within the EMS, while of course still meeting your legal compliance requirements which may dictate how this is to be done.

You can find out more on measuring EMS effectiveness in the article: How to measure the effectiveness of your EMS according to ISO 14001:2015, https://advisera.com/14001academy/blog/2016/09/05/how-to-measure-the-effectiveness-of-your-ems-according-to-iso140012015/

If you are looking for help to implement AS9100, you may find our book helpful: Applying AS9100 Rev D, https://advisera.com/books/applying-as9100-rev-d/

Scope of service provider

Clause 4.3 of ISO 9001:2015 requires that the scope of the quality management system be maintained as a document. If clause 7.1.5 (calibration) is not applicable you should state that with a justification in a text. For example, in the same document as the scope. If your organization keeps a quality manual it can be written there together with the scope.

The following material will provide you more information about scope:

- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- What clauses can be excluded in ISO 9001:2015? https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

Change management

In our toolkit, changes that affect the quality system are covered in the 21_Procedure_for_management_review, as a part of Review inputs. Therefore this requirement from ISO 13485:2016 is fulfilled.