Search results

Risk Assessment

Please note that the steps to define residual risks are:
- Risk identification (i.e., identification of elements that compose the risk, and already implemented controls)
- Risk analysis (i.e., the definition of risk value, considering any already implemented controls)
- Risk evaluation (i.e., comparing the risk value to risk acceptance criteria to decide if additional treatment is required)
- Risk treatment (i.e., defining which treatment is to be applied, and its effect on the risk)

In case you evaluate that no additional treatment is required (i.e., the risk is accepted), then the identified risk is the residual risk.

In case you evaluate that additional treatment is required (e.g., avoid, mitigate, or transfer the risk), then, in this case, you have to define the new value of the risk, considering the new applicable controls and this one will be the residual risk.

Surveillance audits

1. Does the external auditor have to do complete surveillance for all controls in the SOA the same as the first year of certification?

Only during certification audits all controls in the SoA must be audited. During each surveillance audit, the auditor can cover only part of the controls, provided that all controls are audited during the certification cycle (e.g., if you have 3 surveillance audits between certification audits, all controls must be audited at least once in these three audits).

This article will provide you further explanation about surveillance audits:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

2. How long does it take to complete the surveillance audit with regard to the initial certification audit duration?

The total days to complete a surveillance audit will depend on the defined ISMS scope (e.g., number of locations, number of employees, etc.), so without detailed information we cannot provide a precise answer for your case.

As a general example, we can say that if the certification audit took 5 days to be performed, the surveillance audits will take between 2 to 3 days.

Product complaints

There is no prescribed deadline for handling product complaints in ISO 13485:2016, in requirement 8.2.2. Complaint handling. It is the manufacturer who must define the time within which the complaint must be resolved in accordance with applicable regulatory requirements. 

For more information on complying with ISO 13485:2016 requirements, please read the article:

How to comply with ISO 13485:2016 requirements for handling complaints  https://advisera.com/13485academy/blog/2017/03/21/how-to-comply-with-iso-134852016-requirements-for-handling-complaints/

For more information managing recalls and advisory notices for medical devices according to ISO 13485, please read the following article:
How to manage recalls and advisory notices for medical devices according to ISO 13485  https://advisera.com/13485academy/blog/2017/08/31/how-to-manage-recalls-and-advisory-notices-for-medical-devices-according-to-iso-13485/

IATF Internal Audit Checklist Guide

Internal audit is a big topic and an explanation of each clause would require a long answer.

In our article "How to make an Internal audit checklist for IATF 16949", you can find a lot of tips for your question: https://advisera.com/16949academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iatf-16949/

Please consider reading our article: IATF 16949 audit types & how they affect process improvement https://advisera.com/16949academy/blog/2017/11/01/iatf-16949-audit-types-how-they-affect-process-improvement/

Also, an article that can help to choose auditors: Requirements for the competence of IATF 16949 Internal auditors https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/ 

Our course for ISO 9001 as baseline standard can also help: ISO 9001:2015 Internal auditor course https://advisera.com/training/iso-9001-internal-auditor-course/

ISO 27001 objective and requirements

From what I read from the standard, the goal is to ensure the confidentiality, integrity, and availability of information. The quality of information does not seem to me to be a concern of ISO 27001. Quality is necessary, but it is controlled by other means. When I see a request for a letter of competence, due to lack of an employee's diploma, or obligation to present the profile of the employee's professional, I do not understand what this has to do with information security. I got it wrong?

Please note that the objective of the standard is to protect information. Ensuring its confidentiality, integrity, and availability are the means by which this objective is achieved.

Information quality is not a mandatory requirement, but organizations can define information quality as a requirement to be protected by the ISMS if it impacts its information security objectives.

Recommendation letters, or other means to evidence competence, is a requirement of the standard (clause 7.2 c)) to ensure people have the proper experience, training, or education to perform work that can impact information security performance.

These articles will provide you further explanation about these topics:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- How to demonstrate resource provision in ISO 27001 https://advisera.com/27001academy/blog/2017/04/10/how-to-demonstrate-resource-provision-in-iso-27001/

Time dedication to work on the implementation project

The time estimation for project duration considers a dedication of c.a. 20% work time, i.e., the project leader would work 1 day per week tops in the project.

Monitoring figures on management review

First you must correct the nonconformity. Perhaps add an annex to management review minute or perform a new management review just about that topic to complement the previous one.

Second you should develop a corrective action. A corrective action eliminates the cause of the nonconformity. To find the cause of the nonconformity you should ask why the nonconformity occurred. A good practice is to ask why five times to find a root cause. Besides that you can create a template for use in future management review minutes, to avoid forgetting some topic.

The following material will provide you more information about developing corrective actions:

- Article - Corrective and Preventive Actions to Support Environmental Management - https://advisera.com/14001academy/blog/2014/07/13/corrective-preventive-actions-support-environmental-management/
- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Product Safety Requirement

 The auditor stated requirement a), that is related to documented processes and i) which is related to the training of personnel.  

You should have documented the process for product-safety for example in the turtle diagram. 

Also, you can have process maps in a documented procedure, please consider our template procedure for product safety in our IATF 16494 Toolkit: https://advisera.com/16949academy/iatf-16949-2016-documentation-toolkit/

Please consider reading our article: “Ensuring product safety according to IATF 16949”: https://advisera.com/16949academy/blog/2017/09/20/ensuring-product-safety-according-to-iatf-16949/

Mould validation

Validation documents are necessary according to the ISO 13485:2016 requirement 7.5.6 Validation of processes for production and service provision. Manufacturer need to have documented procedure for the validation and records of the result and conclusion of validation.

When it comes to product quality in injection molding, machine and tool validation is fundamental to creating a stable manufacturing process and de-risking the project. The purpose of validation is to ensure that injection molders have a stable and dimensionally centered process that consistently produces high-quality products. Validation is basically providing the scientific evidence that the machine and tool is repeatedly doing everything you expect it to do, every minute of every day.

For more information about validation please read the article on the following link: 

Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/

Manual de Organización y Funciones & Manual de Puestos y Funciones

Por supuesto puede hacerlo, cualquiera de las opciones que me presenta son válidas. Además los puestos de la organización así como las responsabilidades y competencias para cada una de las funciones deben de estar claramente definidos y si estos están recogidos en un único documento es más sencillo saber quién se responsabiliza de qué. Por otro lado, de esta manera es más sencillo determinar las necesidades de capacitación de cada uno de los roles dentro de la organización.

Estos materiales pueden serle de ayuda para entender mejor las funciones y responsabilidades dengtro de ISO 9001:2015

- Artículo - How to document roles and responsibilities according to ISO 9001: https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
- Inscríbase gratis en este curso -  Curso de Fundamentos de la nroma ISO 9001:2015 - https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Libro – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/