Search results

Software validation process and Risk Management procedure

1. 4.1.6 What software needs to follow the software validation process? Would smartsheet or excel have to be validated?

You need to perform validation for any software that is being used in the quality system together with evaluation the risk of each of those applicable pieces of software. This assessment can include databases, Solidworks/CAD files for design activities, issue tracking software, complaint management software or CRM systems, ERP systems, and/or distribution software programs. The evaluation process should be documented, and the results should be tied to actions. You do not need to perform validation of smartsheets and excel. 

For more information, please read the following articles:

How to establish process validation in the QMS https://advisera.com/9001academy/blog/2017/01/31/how-to-establish-process-validation-in-the-qms/Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/

2. We do not only manufacture medical-related products. We produce thermoplastics. Is it ok for us not to use a risk management procedure on non-medical if specifically called out in the procedure?

Yes, it is ok not to use risk management procedure on non-medical devices.

Accepting cookies with banners

 Hi, I would like to know in which cases it is mandatory to use a banner that allows visitors to my site to choose the type of cookies to accept (necessary, marketing and statistical)?

Necessary cookies or technical cookies do not require any kind of consent you just need to make aware the user that you are using such cookies. This can be achieved by using a banner (without the need for the visitor to accept anything). You also need to ensure that your Cookie Policy details the use of the necessary/technical cookies.

In which cases instead of the classic banner where "continue browsing" is sufficiently interpreted as consent to all cookies?

Regarding statistical and marketing cookies these should only be placed on the visitor`s browser based on consent. Consent can be obtained through the cookie banner. You also need to ensure that your Cookie Policy details the use of the statistical/marketing cookie as well as an easy way for the visitor to withdraw its consent.

You can find readily available Cookie Policy in our EU GDPR Mini Toolkit for websites (https://advisera.com/eugdpracademy/eu-gdpr-mini-toolkit-for-websites/).

A.7.3 Human Resource Security

Please note that this control seems incomplete because an Exit Policy would cover at least these controls:
- A.7.3.1 "Termination or change of employment responsibilities"
- 8.1.4 "Return of assets" 
- 9.2.1 "User registration and de-registration"

Considering these controls, and the ISO 27002, a supporting standard which provides guidelines for implementation of ISO 27001 Annex A controls, in terms of information security you should consider:
- remembering the former employee about clauses signed in confidentiality agreements and employment contracts (e.g., not to disclose information, or not work for competitors, for a defined period, etc.)
- communicating with other employees, customers, and contractors about the change in the status of the former employees
- ensuring the return of all physical and electronic assets in possession of the former employee that belongs to the organization or are under the organization's responsibilities 
- disabling or removing user IDs of former employees

Please also note that controls A.7.3.1 also covers when an employee changes his position within the company, so you might address such scenario through a different policy.

This article will provide you a further explanation about employment contracts and termination or change of employment:
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
- What to consider in case of termination or change of employment according to ISO 27001 https://advisera.com/27001academy/blog/2018/09/03/what-to-consider-in-case-of-termination-or-change-of-employment-according-to-iso-27001/

Asset Inventory

ISO 27001 does not define the structure of Asset inventory - controls A.8.1.1 and A.8.1.2 require you to list only name of the asset, and the asset owner. 

So if you have an Asset inventory with those two columns it will be enough for the certification. Each company needs to assess whether some additional information is needed or not - in any case, you should not add information that is not necessary because it will create an overkill for you. 

This article will also help you: 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/ 

Desing-responsible

I read your question and I remember ISO 9001:2015 clause 8.3.2 d). 

Let us look into design and development as a process:

Who is going to collect the design and development (D&D) inputs?
Who is going to perform each activity in the D&D project? For example, who is going to develop a new specification for the landing page? Who is going to test it? 
Who is going to have authority to make decisions during D&D revisions?
Who is going to have authority to make decisions during D&D verification?
Who is going to have authority to make decisions during D&D validation?
 
A quality management system has to plan authorities and responsibilities for those important activities.
 
The following material will provide you more information about design and development:
 
-      The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
-      Procedure for Design and Development - https://advisera.com/9001academy/documentation/procedure-design-development/
-      Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
-      Book – (where I use the process approach this way) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Requirements for becoming an external consultant

Your question has two different topics.

“I want to setup my own business of consulting.”

Normally, countries have no legal requirements to start a career in consultancy. So, if you feel motivated you can start right away. For the technical side you already have credentials that can signal your competence. Now, potential customers need to know you. For the commercial side I recommend starting a blog about your reflections about ISO 9001, and keeping an active participation in Linkedin for networking and developing your “personal brand”. Below you can find some information that can be useful for you about this topic.

“I want to setup an organization A which can issue an ISO compliance certificate to my client company B.”

Consulting and certification are two different businesses, and due to reputational issues, they should not be treated by the same organization. You can start your career as consultant and have your own business, and at the same time apply to work as lead auditor for one or more certification bodies.

The following material will provide you information about starting a consultant business:

- How to become an ISO 9001 consultant - https://advisera.com/9001academy/blog/2016/11/15/how-to-become-an-iso-9001-consultant/
- How to sell your ISO 9001 consulting services - https://advisera.com/9001academy/blog/2017/06/20/how-to-sell-your-iso-9001-consulting-services/
- How to get new clients for your ISO 9001 consultancy - https://advisera.com/9001academy/blog/2019/03/05/how-to-get-new-clients-for-your-iso-9001-consultancy/
- Free webinar on demand – How to sell ISO consulting services - https://advisera.com/9001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/
- ISO 9001 Tools for Consultants - https://advisera.com/9001academy/consultants/
 

Internal Audit program requirements

To clarify the requirement, in clause 5.4 d 8) in consultation and participation of workers, ISO 45001 does mention the consultation of non-managerial workers in the planning, establishment, implementing and maintaining of an audit programme per clause 9.2.2; however, there is no mandated process for doing this with only a requirement to provide a mechanism for consultation and participation (clause 5.4 a).

So, this means how you involve workers in deciding the internal audit program is up to you (you need to provide the mechanisms), and this consultation will differ form company to company depending on many factors such as number of employees. You can gather the non-managerial workers opinions through any method you desire, including a simple survey, asking strategic employees (such as a joint health & safety committee if one exists), asking work representatives (if they exist), etc,

No matter how you gather these opinions, some of the elements of an internal audit programme that you might want worker opinion on could include: importance of processes to determine frequency of audits, how audit results will be reported to workers, or by finding out what other factors the workers see as important.

You can find out more on consultation and participation in the article: How to meet participation and consultation requirements in ISO 45001, https://advisera.com/45001academy/blog/2016/03/16/how-to-meet-participation-and-consultation-requirements-in-iso-45001/

La estrategia para certificar una empresa

Lo primero que debe de hacer es contar con el apoyo de la alta dirección, que es quién va a proporcionar los recursos tanto económicos como de personal para llevar a cabo el proyecto de implantación.

Después debe llevar a cabo un análisis de brecha o GAP en su organización para saber con qué requisitos cumple en la actualidad y con cuáles necesita aún cumplir. Aquí puede llevar a cabo ese análisis - Herramienta de análisis de brecha para ISO 9001: https://advisera.com/9001academy/es/herramienta-analisis-de-brecha-iso-9001/

Para que tenga claro cada uno de los requisitos de la norma le recomiendo que lea el siguiente informe gratuito, que le ayudará a entender cada una de las cláusulas de ISO 9001 - Clause by Clause explanation of ISO 9001:2015: https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015

Una vez que tenga esta información sobre los requisitos con los que debe de cumplir puede empezar a escribir un Plan de Proyecto, donde establezca cada uno de los hitos de la implantación del sistema de gestión de calidad, así como los plazos, responsabilidades, etc. Aquí puede descargar un ejemplo gratuito de Plan de Proyecto - Plan de Proyecto para la implementación de ISO 9001: https://info.advisera.com/9001academy/es/descarga-gratuita/plan-de-proyecto-para-la-implementacion-de-iso-9001-ms-word

Tras definir el Plan de Proyecto ya puede empezar a determinar cómo va a llevar a cabo el control de documentos y registros del SGC. Luego ya puede determinar la política y los objectivos de calidad, el alcance del SGC... así hasta llegar a la auditoría interna y la revisión por la dirección. Puedes descargar este Diagrama de Implementación de ISO 9001;2015 que indica todos los pasos en la implementación de ISO 9001:2015: https://info.advisera.com/9001academy/es/descarga-gratuita/diagrama-de-implementacion-iso-90012015

Estos materiales también pueden ayudarle en la implementación de la norma ISO 9001:2015

- Inscríbase gratis en este curso -  Curso de Fundamentos de la norma ISO 9001:2015 - https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

- Libro – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/  

Defining scope of ISO certification

Defining the scope is a management decision, not a technical decision. Look into your organization as a whole. If you can find different groups of customers with very different requirements and expectations, or if you can find different sets of jobs almost independent of the rest of the organization, perhaps your organization can take advantage of certifying just part of it. To certify early, to avoid problems with unorganized customers, to implement ISO 9001 step by step in a complex organization.

For example:

A hospital can decide to certify just the X ray service, and then the blood service, and then …
A manufacturing shoe company can decide to certify just the part of the business that works for uniform shoes and leave out the part that works for fashion

The following material will provide you information about the scope of a quality management system: 

How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope -
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – (where I use the process approach this way) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Transition from ISO 9001:2008 to ISO 9001:2015

Certification is not mandatory. If an organization wants to reap the benefits of implementing and certifying a quality management system - Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/, it has to make the transition from the 2008 version to the 2015 version.

The following material will provide you information about the transition: 

- Infographic: ISO 9001:2015 vs. 2008 revision – What has changed? - https://advisera.com/9001academy/knowledgebase/infographic-iso-90012015-vs-2008-revision-what-has-changed/
- How to make the transition from ISO 9001:2008 revision to the 2015 revision - https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/
- Free webinar – ISO 9001:2015 - How to make the transition from ISO 9001:2008 - https://advisera.com/9001academy/webinar/iso-90012015-how-to-make-the-transition-from-iso-90012008-free-webinar-on-demand/
- Book – (where I use the process approach this way) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/