Search results

Conformance with ISO 13485

21 CFR 820 is the current quality system for medical devices used by the FDA. There is no requirement of conformance with the ISO 13485. Each standard (21 CRF 820 and ISO 13485:2016) may have additional requirements, but the requirements do not conflict with one another. While 21 CFR 820 compliance is required by law for the commercialization of medical devices in the United States, ISO 13485 is voluntary. 

If you need information on the Differences and similarities between FDA 21 CFR Part 820 and ISO 13485. please read article on the following link: 

https://advisera.com/13485academy/blog/2017/10/05/differences-and-similarities-between-fda-21-cfr-part-820-and-iso-13485/

6.1.2.b Environmental aspects / condition

ISO 14001:2015 does not include definitions for emergency or abnormal operation.

I use the term abnormal for situations different from normal operation. For example,

• During start or shutdown of an operation (during start or shutdown of a boiler, air emissions are very different from during normal operation)
• During a shift change over or during out of hours operation
• During the operation with inexperienced people or a machine breakdown 

Although abnormal the environmental impact is not severe.

I use the term emergency for an unplanned situation with severe environmental impact.

A machine break down is unplanned, and environmental impacts are severe (we have an emergency situation ) or not severe (we have an abnormal situation)

Requirement of 7.2.3

In IATF 16949 requirement 7.2.3 there are new requirements more demanding than in the previous version. 

Some of them are:

Using risk-based thinking, customer-specific requirements, quality technology and methods (core tools),
ISO 19011 as standard for audits
Knowledge for process-related risks analysis (FMEA)
Demonstrate technical competence of auditors
Also, maintenance of and improvements in internal auditor competence shall include minimum numbers of audits per year and knowledge maintenance. 

For more information, please read the article: 

Requirements for the competence of IATF 16949 Internal auditors https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/

Accreditation bodies for training providers

The value added to a certification regarding its accreditation body will depend on the marketing or industry you are considering.

Considering ISO 27001 personal certification, the most recognized accreditation bodies for training providers are IRCA, PECB, and Exemplar Global (formerly RABQSA).

This article will provide you further explanation about ISO27001 lead auditor course:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

This material will also help you regarding ISO27001 lead auditor course:
- ISO 27001 Lead Auditor course https://advisera.com/training/iso-27001-lead-auditor-course/

ISO 27001 Implementation Committee

ISO 27001 does not prescribe how an organization must define its information security structure, only that relevant responsibilities related to information must be defined, so organizations are free to define them as they see fit.

Considering this, your suggested areas are acceptable if your organization is a small or medium one (i.e., up to 500 employees). Please note that a committee's role is most related to making decisions about implementation steps, not executing them (this is part of the implementation team's responsibilities).

This article will provide you further explanation about responsibilities in an ISO 27001  implementation project:
- RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/

These materials will also help you regarding ISO 27001  implementation project:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Internal Quality Audit

It is possible to use an untrained auditor as part of his training program as a trainee auditor with the surveillance of experienced mentors.

For more information read our article: Requirements for the competence of IATF 16949 Internal auditors https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/ 

Please also consider our article: „IATF 16949 audit types & how they affect process improvement“ https://advisera.com/16949academy/blog/2017/11/01/iatf-16949-audit-types-how-they-affect-process-improvement/ 

Green house reaching ISO 9001

Yes, ISO 9001 is applicable to any kind of organization, profit or nonprofit, in any economic sector.

The following material will provide you information about ISO 9001:

- What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
- Free webinar – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Timeline to close CAPA

I agreed when you stated that businesses should gather data about the happening of the problem. My friend wants to have CAPA Software to streamline their processes. I should advise him to go for it to predict challeges.

Customer complaint as a non-conformity

Yes, it is a special case of non-conformity, what ISO 9001:2015 clause 8.2.1 c) calls a complaint. After investigation your organization can conclude that there is no responsibility but until then it is a non-conformity, one that organizations want to avoid.

The following material will provide you information about the risk-based approach:

ISO 9001 – Effective complaints management in a QMS - https://advisera.com/9001academy/blog/2014/09/16/effective-complaints-management-qms/
Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Justification in the SoA

1. Some of the Annex A clauses are worded as if they are mandatory; for example, 5.1.1: "A set of policies for information security shall be defined [...]". Is it acceptable to justify selection on the basis that this is a mandatory element of 27001?

 Please note that a control from ISO 2701 Annex A is mandatory only if:
- There are unacceptable risks that require the implementation of the control
- There are legal requirements that require the implementation of the control
- There is a top management decision that requires the implementation of the control

These are acceptable justifications to apply a control.

If none of the above mentioned occurs, you do not need to implement the control. What happens is that once a control is deemed as applicable, then all "shall" related items are mandatory to be implemented.
 
 This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2. We have multiple risks associated with the same vulnerability (as expected); for example, the vulnerability “inadequate protection from unauthorized access” occurs many times. Is it acceptable to justify on the basis of 'All risks associated with “inadequate protection from unauthorized access”' rather than itemize each risk?"

This approach is not acceptable because it does not allow an easy identification of which risks are related to the applied control. In this case, you can only mention in the SoA the ID of the risks listed in the risk treatment plan. For example, "Control X is applicable because of unacceptable risks 23, 35 and 47 listed in the risk treatment plan".

This article will provide you further explanation about SoA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/