Search results

Business rules definition

As far as I understand your question, you are speaking about both ISO 9001:2015 clauses 4.4.1 c) and 9.1.1.

Organizations should define performance indicators for their processes. Those performance indicators can be presented in documents that describe each process or in tables that gather all performance indicators from all processes.

The following material will provide you more information about monitoring and measurement:

- Article - Practical tips for measuring your QMS according to ISO 9001:2015 clause 9.1 - https://advisera.com/9001academy/blog/2017/08/29/practical-tips-for-measuring-your-qms-according-to-iso-90012015-clause-9-1/
- Article - How to define Key Performance Indicators for a QMS based on ISO 9001 - https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
- Free webinar - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Differences in Risk Analysis

In terms of the requirements and purpose, there is no difference. Both ISO 9001 and ISO 17025 Standards require that organizations address risks and opportunities as relate to the organization achieving its objectives. The same or similar approaches can also be taken when performing risk analysis. In both cases, organizations are required to perform risk analysis by identifying risks and planning responses. Neither standard prescribes a specific approach or methodology.

For more information on the topic, have a look at these articles:

• Similarities and differences in risk management in ISO 9001, ISO 31000, and ISO 27001
  https://advisera.com/9001academy/blog/2016/10/25/similarities-and-differences-in-risk-management-in-iso-9001-iso-31000-and-iso-27001/
• How to address risks and opportunities in ISO 9001
  https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
• Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
• How to identify risk significance in ISO 9001:2015
  https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/

Intricate process for movement of documents

No, ISO 9001 does not include any intricate process for movement of documents. It is up to each organization to design the most useful, the most effective flow of documentation, both inside and with any outside interested parties, unless that flow is ruled by legislation or regulation. Please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ . You can see that mandatory documents are very few.

The following material will provide you more information about ISO 9001:2015:

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

Plan for Training and Awareness

You can consider these documents in the context of awareness and training in two ways:
- as individual documents, where you explain their purpose and how to fill them in
- as part of processes where they are required (e.g., new employee onboarding, and information exchange between an organization's employees and external parts).

As part of a process examples, in the first case, the new employees need to be aware of documents they need to sign. In the second case, employees working with third parties need to be aware of which documents they have to require from the third parties to sign before the organization's information be sent to them.

This article will also help you regarding awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

This material will also help you regarding awareness and training:
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

Retention period - Training and awareness plan

If there are no legal or contractual requirements for defining retention period for evidence of training and awareness activities, you can consider a three-year period aligned to the certification validity cycle.

This article will provide you further explanation about records management:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

Documents and records management

The first important tip for you is to review your current rules defined to comply with clause 7.5.3 (control of documented information). Since you seem to be having a problem with these issues they may be not properly adjusted to your context.

Considering electronic documents and records, if the quantity of them is not so big you can consider organizing them in folders identified by each section of the standard which requires them (e.g., in folder named "Information Security Policy" you can store the Information security policy, in folder "Risk assessment and Treatment" you can store documents and records related to the risk management process, etc.)

If the quantity of documents is big, you should consider a document management solution (you can see an example of such solution in our platform Conformio at this link: https://advisera.com/conformio/)

For physical records, you should consider a central cabinet to store them, adopting a folder structure similar to the electronic documents.

This article will provide you further explanation about document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ 

Review of information systems

I'm assuming you are referring to ISO 27001 Annex A section A.18.2 Information security reviews. Considering that, the internal audit is the process which covers the controls from this section. Considering that, the steps you must consider regarding ISO 27001 requirements are:
- Document review: to (1) become acquainted with the processes in the ISMS, and (2) to find out if there are nonconformities in the documentation with regard to the standard
- Creating the checklist: write requirements you must check during the audit
- Planning the audit: plan which departments and/or locations to visit and when
- Performing the audit: execute what was planned
- Reporting: to summarize all the nonconformities and relevant information you found
- Follow-up: to check whether all the corrective actions raised during the internal audit are closed

To see how an internal audit documentation looks like, please take a look at the free demo of our ISO 27001/ISO 22301 Internal Audit Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/

For further information also see:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- ISO 27001:2013 Internal auditor course https://advisera.com/training/iso-27001-internal-auditor-course/

Effectiveness of QMS and Product Recall

1. How can you measure the effectiveness of QMS?

Measuring effectiveness of QMS depends on the organization's processes as well as Policy/quality objectives. Most companies compared results to the goals for the KPI (Key Performance Indicators) defined for the organization. For example, it can be:- Number of major non-conformities coming from second/third party audit- Customer satisfaction improvement- Confirmed certification from Registrar- Obtain new certifications to improve your business- Increasing the number of orders from Customers- Cost reduction improvement ( including cost of poor quality)- Time to market reduction for new products- Zero defects achievement- Compliance to law and regulation

 For more information please read the following article: 

Practical tips for measuring your QMS according to ISO 9001:2015 clause 9.1: https://advisera.com/9001academy/blog/2017/08/29/practical-tips-for-measuring-your-qms-according-to-iso-90012015-clause-9-1/

2. Do every product recall will require an advisory notice? Is there any advisory notice which will not required a product recall?

No, every product recall does not require an advisory notice. Removals from the market for purely commercial non-safety related reasons do not require advisory notice.

For more information on how to handle recalls, what are the synonyms and meaning of wording iin EU market, please find MEDDEV 2.12/1, revision 8 (January 2013) and Additional guidelines for MEDDEV 2.12/1 (published July 2019). Both documents can be found on the following link in section 2.12 PostMarket surveillance: https://ec.europa.eu/growth/sectors/medical-devices/current-directives/guidance_en 

For more information on recalls, corrections and removals under FDA, please look in the following link: https://www.fda.gov/medical-devices/postmarket-requirements-devices/recalls-corrections-and-removals-devices

For more information on recalls and advisory notices for medical devices, please read the following article:

How to manage recalls and advisory notices for medical devices according to ISO 13485 https://advisera.com/13485academy/blog/2017/08/31/how-to-manage-recalls-and-advisory-notices-for-medical-devices-according-to-iso-13485/

Evaluation of training effectiveness

According to ISO 9000:2015 effectiveness is about measuring the extent to which planned results are met. What are the planned results of training? Training is given with a purpose; training is given to meet an objective. An effective training is a training that meets its objective.

For example, we train people to learn how to use our company software. And we set as our objective that one week after training, people already know how to use the software and are autonomous, they don’t need more than one help per day.

If after that one week we meet our objective, we can say that the training was effective. Please note that each training has a different purpose and a different objective, and different timings to check effectiveness. So, evaluating training effectiveness requires predetermining training objectives and timing to check effectiveness.

The following material will provide you more information about effectiveness:

- Article – How to measure training effectiveness according to ISO 9001 - https://advisera.com/9001academy/blog/2016/03/29/how-to-measure-training-effectiveness-according-to-iso-9001/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Measuring the effectiveness of QMS

What is the difference between measuring effectiveness of QMS and measuring effectiveness of a process?

Answer:

We wrote “one can measure the effectiveness of a QMS by evaluating the extent to which the quality objectives are achieved.” 

The same approach can be used to measure process effectiveness. Each process has one or more indicators that allow measuring its performance against its purpose. So, one can measure the effectiveness of a process by evaluating the extent to which the process indicators’ targets are achieved.

QMS can be effective without all processes being effective?

Answer:

A QMS is the result of the sum of its processes. When we go from the individual (process) into the global (system) there is one thing that we call emergence, because a system is more than just summing its individual parts. So, we have to be careful about emergence and thinking about linear relationships between the sum of the individuals and the whole. Having said that I can agree that a QMS can be effective even if some of its processes are not effective. Please consider that not all processes have the same impact on QMS objectives. In my consulting work it is normal to find processes that must exist but don’t contribute to strategy execution, for example.