Search results

Disaster recovery plan template

Please note that ISO 27001 does not prescribe the sections a document must contain, so organizations are free to develop them the way it best fits their needs. 

Considering that, the DRP structure does not contain a reference documents section, and it is different from other documents in the toolkit, like policies and procedures, because it needs to contain only the most necessary information in order not to confuse its users during a very stressful situation (disruption). 

Regarding controls A.17.1.2 and A.17.2.1, the needed documents for implementing the Disaster Recovery Plan must be referenced in section 10 (Additional documents).

GR&R frequency requirement

GR&R (Gage Repeatability & Reproducibility) requirement in "IATF 16949" is requested by clause 7.1.5.1.1 Measurement System Analysis, there is no direct requirement for frequency. In the Control plan, you should set the frequency. It can be given by customer-specific requirements or set by the company if there is a high risk for some process for potential measurement errors.

An example can be a customer-specific requirement for GR&R that can be requested for every shipment if it is OEM (Original Equipment Manufacturing) or it can be requested if there were non-conformities.

For more information on Measurement System Analysis, please read our article: How to establish Measurement System Analysis: https://advisera.com/16949academy/blog/2017/11/08/how-to-establish-measurement-system-analysis-according-to-iatf-16949/

Asset handling in risk assessment

In cases like this, you can use a single item like "corporate laptops" to refer to all laptops in your organization in the risk assessment process. Please note that, if you have a situation where different groups of laptops need to be treated differently, you can adopt multiple items, like "development laptops", "management laptops", etc.

Developing multiple Disaster Recovery Plans

Basically, you can use the same Disaster Recovery Plan template for every separate plan you need, each one covering specific systems or processes you need to recover according to your needs.

Risk-based thinking as a strategy on universities

In my humble opinion I see the risk-based thinking not as a strategy but as an approach to set priorities of action either to meet desired results or to avoid undesired results.

In the picture above, I use the word customer but for universities it is much more helpful to use interested parties: what society at large wants or expects from universities; what employers want or expect from universities; what politicians, what scholars and researchers, what students and their families want or expect from universities, … 

I apply the risk-based thinking at three levels:

- Context (considering clauses 4.1 and 4.2 of ISO 9001:2015. For example, risks coming from the economic evolution)
- Product and or service (considering clause 5.1.2 b) of ISO 9001:2015. For example, risks coming from online universities and very specific internet courses)
- Processes (considering clause 4.4.1 f) of ISO 9001:2015. For example, risks coming from “teacher selection and contract”.
 

I would work with a university trying to determine risks and opportunities:

- Reduce or minimize 1 (from the picture)
- Increase or maximize 2 (from the picture) – Example, no one will care if classes have electric light. Everybody will be upset if there is no electric light at a late of the day class
- Increase or maximize 3 (from the picture)
- Reduce or minimize 4 (from the picture)
 

The following material will provide you more information about risks and universities:

- Article - Should universities implement ISO 9001? - https://advisera.com/9001academy/blog/2015/04/21/should-universities-implement-iso-9001/
- Article - Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- Free webinar on demand – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

Environmental and Safety Management

If your organization is going to be audited only according to ISO 9001:2015, Environment and Safety management documents are not audited.

The following material will provide you more information about scope:

- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Preparing a Risk Assessment Procedure

The procedure should contain at least the following sections:

- How you identify your risks and opportunities - In this section you can describe a method which can include questions to answer during a brainstorming session with the relevant people of your organization or for instance conducting a SWOT analysis to better understand the risks and opportunities of the context of your organization. 

- How you determine the level of significance of each risk that has been indentified - In this section you need to establish certain criteria to determine a rating for each risk and opportunitiy. For instance the probablity of ocurrence is a criteron often used. 

- Which actions must be conducted to address the significant risks and opportunties - Here you define which measures must be taken according to the results of risk significance obtained.

- Review of the actions taken to address the risks and opportunities - In this section you define the frequency of the assessment to be done in order to check the actions that have been conducted to address risks and opportunities. 

For more information about how to write a procedure for addressing risks and opportunities, see the following materials:

- Article - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Expired calibration of infusion/drivers

Yes, it is a violation of both the regulations and the SOP. 

For more information about calibration, please read this article:

Calibration requirements in ISO 13485“ https://advisera.com/13485academy/blog/2019/03/08/calibration-requirements-in-iso-13485/

ISO 9001 process flow diagram

Considering the ISO 9001 process flow diagram.

Let us concentrate our attention on the activities. Think in terms of verbs, of actions. What do you see from the moment a potential customer contacts the laboratory and the moment that customer receives a report with the test results?

You can gather a team of people and with sticky notes draw a picture like this one:

This is why the laboratory exists. Those are the main, the operational processes.

Those processes do not work alone. They need support from other processes that supply resources. Perhaps you can see something like this:

Where is your laboratory going? To whom should it work? What kind of tests should perform?

This is typical of a management process that works in close relationship with two other support processes (commercial and developing new tests and services):

The following material will provide you more information about the process approach:

- ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- Free webinar - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Handling of requirements

If I understood correctly, you are referring to two possible situations:

• 1. Standard's requirements do not make sense to the purpose of the standard anymore
• 2 Standard's requirements do not make sense to your organization's context

In the first case, during the standard review (which occurs approximately every 5 years) such requirements can be excluded or reformulated.

In the second case, you have to verify in the standard if the requirement is mandatory or if there is any condition for exclusion that can be applied to your organization. In the case of ISO 27001, requirements from sections 4 to 10 are mandatory (you cannot exclude any of them), and controls from Annex A can be excluded considering the results of risk assessment.