Search results

Advance QMS from ISO 9001:2015 to IATF 16949:2016

For project plan steps please consider our project plan for IATF 16949: https://info.advisera.com/16949academy/free-download/project-plan-for-iatf-16949-implementation-presentation
And also, implementation diagram https://info.advisera.com/16949academy/free-download/iatf-16949-implementation-diagram 

The difference between ISO 9001 and IATF 16494 is described in our article: ISO 9001 vs IATF 16949 What is the difference: https://advisera.com/16949academy/blog/2019/11/19/iso-9001-vs-iatf-16949-what-is-the-difference/ 

Please consider the following materials that may help:

I recommend the IATF 16949 Documentation Toolkit: https://advisera.com/16949academy/iatf-16949-2016-documentation-toolkit/

Checklist of IATF 16949:2016 implementation steps: https://advisera.com/16949academy/knowledgebase/checklist-of-iatf-16949-2016-implementation-steps/ 

List of mandatory documents required by IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/list-of-mandatory-documents-required-by-iatf-16949-2016/ 

How to structure IATF 16949:2016 documentation https://advisera.com/16949academy/knowledgebase/how-to-structure-iatf-16949-2016-documentation/

Transition from ISO 17025:2005 to ISO 17025:2017

As ISO 17025 is a general guideline for a testing laboratory management system, the amount of documentation needed for your laboratory’s transition from ISO 17025:2005 to ISO 17025:2017 will depend on what you already have in place.

Referring to a mandatory document checklist will help you identify the gaps in your current system and identify the new or changed processes, procedures, and records that you will need to put in place. I suggest you also refer to your accreditation body for any specific requirements. 

Download the useful complimentary white paper (PDF) Checklist of mandatory documents required by ISO 17025:2017; available at https://info.advisera.com/17025academy/free-download/checklist-of-mandatory-documents-required-by-iso-17025; 

Please read the following articles for more information:

• ISO/IEC 17025:2005 vs. ISO/IEC 17025:2017 revision: What has changed? at https://advisera.com/17025academy/blog/2019/11/13/iso-17025-2017-vs-iso-17025-2005-key-changes-infographic/
• List of mandatory documents required by ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/08/30/list-of-mandatory-documents-required-by-iso-170252017/ 

Note that accreditation to ISO/IEC 17025:2005 will be invalid after the 30 November this year (ILAC Resolution GA 20.15). Your laboratory will need to complete the transition and be assessed by your accreditation body before that date. The use of the ISO 17025:2017 toolkit, available at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ could be a suitable tool to help meet the deadline.

OHS Risks and Opportunities

Your explanation is quite apt. Very precise and accurate.

Sampling and analysis of Measurement uncertainty

The 2002 version of the ILAC document,  ILAC G17 (Introducing the Concept of Uncertainty of Measurement in Testing in Association with the Application of the Standard ISO/IEC 17025) is still under revision. Accreditation bodies should acknowledge that even ILAC states that there is currently not enough guidance and a lack of rules for implementing Uncertainty in sampling, i.e. reporting separately as sMU (see https://www.eurachem.org/images/stories/workshops/2019_11_MU/pdf/P1-09_ILAC_UfS_guidance_Oehlenschlaeger.pdf).   

 
I would say that until the ILAC decision is communicated after the March 2020 Beijing meeting, there is justification to merely interpret and comply with the ISO 17025:2017 requirements for measurement uncertainty evaluation (as discussed in the ILAC presentation). Besides the latest Eurachem guideline Measurement uncertainty arising from sampling, 2nd edition (2019), available at https://www.eurachem.org/index.php/publications/guides/musamp; the primary normative ISO standards are the ISO 98 series, including

• ISO/IEC GUIDE 98-1:2009 [JCGM/WG1/104] Uncertainty of measurement - Part 1: Introduction to the expression of uncertainty in measurement;
• ISO/IEC Guide 98-3:2008(en) Uncertainty of measurement - Part 3: Guide to the expression of uncertainty in measurement (GUM:1995);
• ISO/IEC Guide 98-4:2012 Uncertainty Of Measurement - Part 4: Role Of Measurement Uncertainty In Conformity Assessment

Then for Microbiology, there is the recently revised ISO 19036:2019 Microbiology of the food chain - Estimation of measurement uncertainty for quantitative determinations.  Trust this is of some assistance.

Toolkit selection

If you do not have any specific requirements (e.g., laws or contracts) for cloud security nor privacy in the cloud, the ISO 27001 Documentation Toolkit is the best option. In case you have specific requirements for cloud security or privacy in the cloud, then the ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit is the best option.

Below you have a list of some documents in the ISO 27001 Documentation Toolkit cover your needs:

1. Encryption key management and 12. Encryption at Rest: Policy on the Use of Encryption https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/

2. Network segregation, 3. Audit logging, 4. Patch and vulnerability management program, 6. Physical and environmental security, 7. Operational procedures and responsibility, and 13. Security Monitoring Practices: Security Procedures for IT Department https://advisera.com/27001academy/documentation/procedures-for-working-in-secure-areas/

Please note that in responsibilities are defined in a high level in the Information Security Policy, and in more specific terms in each policy and procedure defined in the toolkit.

5. Information security awareness, education, and training: Training and awareness plan https://advisera.com/27001academy/documentation/training-and-awareness-plan/

8. System acquisition, development, and maintenance – including secure coding practices: Secure Development policy https://advisera.com/27001academy/documentation/secure-development-policy/

Please note that ISO 27001 does not cover specifics related to secure coding practices.

9. System access control: Access control policy https://advisera.com/27001academy/documentation/access-control-policy/

10. Personnel security: Statement of Acceptance of ISMS Documents https://advisera.com/27001academy/documentation/statement-of-acceptance-of-isms-documents/

11. Backup: Backup policy https://advisera.com/27001academy/documentation/backup-policy/

For more detailed information about which documents cover which clauses of ISO 27001, and to see how these documents look like, please access the free demo of the toolkit in this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

Control application

For this decision, you have to verify the ISMS scope document. Since the ISMS scope defines what is part of your ISMS and what is not, it will help you define what to include in the Disaster Recovery plan.

These articles will provide you further explanation about scope definition and disaster recovery:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

Physical penetration testing

ISO 27001 does not prescribe specifics about how to perform physical penetration testing, but you can use controls objectives and recommendations from section A.11 from ISO 27001 Annex A (Physical and environmental security), to identify points you should check in your penetration test.

These articles will provide you further explanation about physical security:
- Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
- How to protect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/

Risk and opportunities

Let us start with ISO 9000:2015 risk definition.

risk = effect of uncertainty

It's important to higlight the word "uncertainty". Something that we cannot control, something that it is outside of our level of control.

And an effect is a deviation from the expected — positive or negative.

So, one can say that risk is a deviation from the expected (positive or negative) resulting from a trigger event that we cannot control. By the way, the ability to control the trigger event is what separates a positive risk from an improvement opportunity.

ISO 9001:2015 about risks mentions: risks and opportunities related with the context of the organization; risks and opportunities related with products and services and risks and opportunities related with processes.

What are we talking about when we talk about "the expected"? What are the expected results of a Purchasing process or of a Production process? Its objectives.

What are the expected results of products and services? The ability to comply with specifications, orders or contracts.

The following material will provide you more information about risks and opportunities:

- How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Please check this free webinar on demand - Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

QMS implementation

I recommend that a project team and project leader be determined. Perhaps our ISO 9001:2015 Lead Implementer Course could be of help because it has two parts (the first one is about ISO 9001:2015 foundations training – the project leader and some other team members must have some knowledge about the quality management standard – the second one is about good implementation practices) - https://advisera.com/training/iso-9001-lead-implementer-course/ 
After training, your team can perform a gap analysis to evaluate what is missing in your organization’s present practice. From there your project team can develop an implementation plan. I develop implementation plans with two main vectors for action: the top management avenue (with quality policy and objectives, action plans and context analysis); the process approach avenue where your project team should use the process approach and develop a model of how your organization work, and can be seen, as a set of processes. With that information, you can develop a project plan for the implementation (what is to be done, by whom, until when). ISO 9001:2015 no longer mandates the use of procedures but almost all organizations develop some kind of procedures in order to standardize practices.
Documenting procedures is taking pictures of how the organization work today. But your organization’s top management look into the future and want a better organization. For that purpose, they develop a quality policy, quality objectives and action plans to transform today’s organization in the future’s organization.
After procedures’ development and implementation perform an internal audit and then a management review.

The following material will provide you more information about implementation:

- Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
- ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
- Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- How long does it take to implement an ISO 9001-based QMS? - https://advisera.com/9001academy/blog/2016/07/05/how-long-does-it-take-to-implement-an-iso-9001-based-qms/
- Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
 

Quality Management Manual design

ISO 9001:2015 no longer requires the existence of a quality manual. So, organizations are free to decide which content they feel is useful.

I still recommend that organizations should develop a quality manual. I always think of a Quality Manual as a kind of identity card of an organization. So, I design Quality Manuals that answer questions like:

- Who are we? (picture of organization building and group photo of everybody working in the company)
- What do we do? (pictures of products or services being provided, the scope of the system and reference to any non-applicability of a clause)
- What are our values and commitments? (quality policy)
- Whom do we work for? (customers and other relevant interested parties)
- How do we work? (map of interrelated processes)
- Table with relevant documents for the quality management system

The following material will provide you more information about Quality Manuals:

- Article – The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
- Article - Writing a short Quality Manual - https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/