Search results

Performing an AS9102 FAI inspection

AS9102 is a guidance document on how to perform first article inspection, and can be used by anyone. It is not possible to be certified to AS9102, and you do not need to be certified to AS9100 to use the FAI guidelines.

For a quick summary of AS9102 see the article: How Does AS9101, AS9102 & AS9103 Relate to AS9100 Rev D?, https://advisera.com/9100academy/blog/2017/10/23/how-does-as9101-as9102-as9103-relate-to-as9100-rev-d/

Cybersecurity audit

First, it is important to note that ISO 27001 certifications for auditors (internal auditor, and lead auditor) refers to information security, not cybersecurity (which covers only a small part of information security).

Considering that, there are no prerequisites for a person to attend an ISO 27001 auditor course and take the exam.

These articles will provide you further explanation about ISO 27001 certification for auditors:
- ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

These materials will also help you regarding ISO 27001 certification for auditors:
- ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Risk Assessment

Please note that the steps to define residual risks are:
- Risk identification (i.e., identification of elements that compose the risk, and already implemented controls)
- Risk analysis (i.e., the definition of risk value, considering any already implemented controls)
- Risk evaluation (i.e., comparing the risk value to risk acceptance criteria to decide if additional treatment is required)
- Risk treatment (i.e., defining which treatment is to be applied, and its effect on the risk)

In case you evaluate that no additional treatment is required (i.e., the risk is accepted), then the identified risk is the residual risk.

In case you evaluate that additional treatment is required (e.g., avoid, mitigate, or transfer the risk), then, in this case, you have to define the new value of the risk, considering the new applicable controls and this one will be the residual risk.

Surveillance audits

1. Does the external auditor have to do complete surveillance for all controls in the SOA the same as the first year of certification?

Only during certification audits all controls in the SoA must be audited. During each surveillance audit, the auditor can cover only part of the controls, provided that all controls are audited during the certification cycle (e.g., if you have 3 surveillance audits between certification audits, all controls must be audited at least once in these three audits).

This article will provide you further explanation about surveillance audits:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

2. How long does it take to complete the surveillance audit with regard to the initial certification audit duration?

The total days to complete a surveillance audit will depend on the defined ISMS scope (e.g., number of locations, number of employees, etc.), so without detailed information we cannot provide a precise answer for your case.

As a general example, we can say that if the certification audit took 5 days to be performed, the surveillance audits will take between 2 to 3 days.

Product complaints

There is no prescribed deadline for handling product complaints in ISO 13485:2016, in requirement 8.2.2. Complaint handling. It is the manufacturer who must define the time within which the complaint must be resolved in accordance with applicable regulatory requirements. 

For more information on complying with ISO 13485:2016 requirements, please read the article:

How to comply with ISO 13485:2016 requirements for handling complaints  https://advisera.com/13485academy/blog/2017/03/21/how-to-comply-with-iso-134852016-requirements-for-handling-complaints/

For more information managing recalls and advisory notices for medical devices according to ISO 13485, please read the following article:
How to manage recalls and advisory notices for medical devices according to ISO 13485  https://advisera.com/13485academy/blog/2017/08/31/how-to-manage-recalls-and-advisory-notices-for-medical-devices-according-to-iso-13485/

IATF Internal Audit Checklist Guide

Internal audit is a big topic and an explanation of each clause would require a long answer.

In our article "How to make an Internal audit checklist for IATF 16949", you can find a lot of tips for your question: https://advisera.com/16949academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iatf-16949/

Please consider reading our article: IATF 16949 audit types & how they affect process improvement https://advisera.com/16949academy/blog/2017/11/01/iatf-16949-audit-types-how-they-affect-process-improvement/

Also, an article that can help to choose auditors: Requirements for the competence of IATF 16949 Internal auditors https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/ 

Our course for ISO 9001 as baseline standard can also help: ISO 9001:2015 Internal auditor course https://advisera.com/training/iso-9001-internal-auditor-course/

ISO 27001 objective and requirements

From what I read from the standard, the goal is to ensure the confidentiality, integrity, and availability of information. The quality of information does not seem to me to be a concern of ISO 27001. Quality is necessary, but it is controlled by other means. When I see a request for a letter of competence, due to lack of an employee's diploma, or obligation to present the profile of the employee's professional, I do not understand what this has to do with information security. I got it wrong?

Please note that the objective of the standard is to protect information. Ensuring its confidentiality, integrity, and availability are the means by which this objective is achieved.

Information quality is not a mandatory requirement, but organizations can define information quality as a requirement to be protected by the ISMS if it impacts its information security objectives.

Recommendation letters, or other means to evidence competence, is a requirement of the standard (clause 7.2 c)) to ensure people have the proper experience, training, or education to perform work that can impact information security performance.

These articles will provide you further explanation about these topics:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- How to demonstrate resource provision in ISO 27001 https://advisera.com/27001academy/blog/2017/04/10/how-to-demonstrate-resource-provision-in-iso-27001/

Time dedication to work on the implementation project

The time estimation for project duration considers a dedication of c.a. 20% work time, i.e., the project leader would work 1 day per week tops in the project.

Monitoring figures on management review

First you must correct the nonconformity. Perhaps add an annex to management review minute or perform a new management review just about that topic to complement the previous one.

Second you should develop a corrective action. A corrective action eliminates the cause of the nonconformity. To find the cause of the nonconformity you should ask why the nonconformity occurred. A good practice is to ask why five times to find a root cause. Besides that you can create a template for use in future management review minutes, to avoid forgetting some topic.

The following material will provide you more information about developing corrective actions:

- Article - Corrective and Preventive Actions to Support Environmental Management - https://advisera.com/14001academy/blog/2014/07/13/corrective-preventive-actions-support-environmental-management/
- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Product Safety Requirement

 The auditor stated requirement a), that is related to documented processes and i) which is related to the training of personnel.  

You should have documented the process for product-safety for example in the turtle diagram. 

Also, you can have process maps in a documented procedure, please consider our template procedure for product safety in our IATF 16494 Toolkit: https://advisera.com/16949academy/iatf-16949-2016-documentation-toolkit/

Please consider reading our article: “Ensuring product safety according to IATF 16949”: https://advisera.com/16949academy/blog/2017/09/20/ensuring-product-safety-according-to-iatf-16949/