Search results

Quality objective

Different organizations use different methods to close up finished quality objectives. For example:

* A report presented to top management showing that quality objectives were met, and a meeting minute acknowledging that;
* A report presented to top management showing that quality objectives were met, and a management review meeting minute acknowledging that;
 Important is to clearly demonstrate that targets were met.

The following material will provide you with information about quality objectives:
- Article - How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/

- Article - How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/

- Free webinar - Free webinar - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Manejando las no conformidades

Efectivamente las salidas no conformes se refieren efectivamente a aquellos productos o servicios que ya han sido entregados.

Las organizaciones tienen que tratar las salidas no conformes de la siguiente manera:

1. Mediante su corrección.
2. Mediante la separación, posterior contención, y la devolución o suspensión de productos.
3. Informando al cliente.
4. Obteniendo la autorización para la aceptación bajo concesión

Cuando las salidas no conformes han sido corregidas entonces debe de verificarse su conformidad con los requisitos.

Estos materiales pueden serle de ayuda para entender mejor las salidas no conformes:

- Artículo - Five steps in ISO nonconforming products: https://advisera.com/9001academy/blog/2014/01/13/five-steps-iso-9001-nonconforming-products/
- Inscríbase gratis en este curso -  Curso de Fundamentos de la nroma ISO 9001:2015 - https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Libro – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/  

ISO 9001 necessary procedures

Let us consider as an example, a lab used to make the quality control of water supplied to a city. According to national legislation there must be a quality control plan, stating parameters to control, their quality level (specifications), control frequency and lab procedures to be followed.

So, as an auditor, I would like to see:

Records evidencing:
quality control results;
that someone with authority validated the quality control results;
treatment of any non-conforming results;
that the quality control frequency is being followed;
that monitoring resources are calibrated and conforming;
that people performing the quality control tests have the right competencies
That updated and controlled procedures are being followed, for example for sample identification, sample preparation, and lab tests

The following material will provide you with information about document control:
- Article - ISO 9001 audit checklist for laboratory - https://advisera.com/9001academy/blog/2018/09/04/iso-9001-audit-checklist-for-laboratory/

- Free webinar - Free webinar - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Corrective actions

First is important to note that if you have a nonconformity you need to resolve it, so you have to record and handle the nonconformity.

Regarding exceptions/policy modifications, you have two options:

• a) If there are legal or contractual requirements or unacceptable risks, you cannot adapt the policy; rather you need to resolve the problem in the implementation; 
• b) If there are no such requirements, you should consider modifying the policy to make it less strict.

SoA and supplier-related risks

In this situation, the best approach is to include controls 14.2.5, 14.2.6, 14.2.8, and 14.2.9 in the SoA, with the justification that there are unacceptable risks that require their implementation, and specify in the implementation method that they are implemented by suppliers according to signed contracts.

It is important to note that, when an organization transfer risks, it retains accountability for the risks and the best way to keep track of them is by documenting them in the SoA.

This article will provide you further explanation about risk treatment:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

Transition to ISO 13485:2016

First of all, you need to get a new edition of ISO 13485: 2016 and do a GAP analysis for the new requirements. You can find the difference between the new and the previous edition of the standard in Annex A of the standard ISO 13485:2016 - Comparison of content between ISO 13485: 2003 and ISO 13485: 2016.

For more information and details, I suggest a meeting which you can schedule here: https://advisera.com/13485academy/free-consultation/

Of course, fell free to see if our ISO 13485:2016 toolkit can help you on the following link: https://advisera.com/13485academy/iso-13485-documentation-toolkit/

Scenario based risk assessment

good

Justifications in the SoA

 A control from ISO 27001 Annex A can be applicable based on these general justifications:

• There are unacceptable risks which treatment requires the control implementation
• There are legal requirements which demands the control implementation
• There is a top management decision requiring the control implementation

Considering that, it is acceptable by ISO 27001 to justify the applicability of a control as required by GDPR, but not to use the ISO 27001 as justification, because it does not require any control to be implemented (for the standard, the implementation is defined by the above-mentioned conditions).

This article will provide you further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Development Risk Assessment and Treatment Methodology

Nome do cargo e cargo referem-se às funções na organização que têm a responsabilidade de executar alguma atividade no documento. Por exemplo, na frase "[nome do cargo] é responsável por coordenar as atividades de avaliação de risco", você deve definir qual papel em sua organização coordenará essa atividade. Esse pode ser o responsável pela segurança, se essa função existir em sua organização, ou você pode definir uma função existente para acumular essa atividade (por exemplo, gerente de TI).

Para mais informações sobre funções e responsabilidades, leia:
- Como documentar papéis e responsabilidades de acordo com a ISO 27001 https://advisera.com/27001academy/pt-br/blog/2016/06/22/como-documentar-papeis-e-responsabilidades-de-acordo-com-a-iso-27001/

(Job title and position refers to the roles in the organization who has the responsibility to perform some activity in the document. For example in the phrase "[Jobtitle] is responsible to coordinate risk assessment activities", you have to define which role in your organization will coordinate this activity. This one can be the security officer if such a role exists in your organization, or you can define an existing role to accumulate this activity (e.g., IT manager).

For more information about roles and responsibilities, please read:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/)

CCPA and ISO 27001 Lead Auditor

The California Consumer Privacy Act (CCPA), has requirements related to the processing of personal data, and ISO 27001 has requirements for protection of information security, so the ISO 270001 Lead Auditor certification can provide you a good foundation for auditing CCPA requirements.

To schedule a meeting with one of our experts, please access this link: https://advisera.com/27001academy/consultation/

This article will provide you further explanation about CCPA and ISO 27001:
- Does ISO 27001 help CCPA compliance? https://advisera.com/27001academy/blog/2018/10/16/does-iso-27001-help-ccpa-compliance/

These materials will also help you regarding becoming ISO 270001 Lead Auditor :
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- ISO 27001:2013 Lead Auditor course https://advisera.com/training/iso-27001-lead-auditor-course/