Search results

Asset handling in risk assessment

In cases like this, you can use a single item like "corporate laptops" to refer to all laptops in your organization in the risk assessment process. Please note that, if you have a situation where different groups of laptops need to be treated differently, you can adopt multiple items, like "development laptops", "management laptops", etc.

Developing multiple Disaster Recovery Plans

Basically, you can use the same Disaster Recovery Plan template for every separate plan you need, each one covering specific systems or processes you need to recover according to your needs.

Risk-based thinking as a strategy on universities

In my humble opinion I see the risk-based thinking not as a strategy but as an approach to set priorities of action either to meet desired results or to avoid undesired results.

In the picture above, I use the word customer but for universities it is much more helpful to use interested parties: what society at large wants or expects from universities; what employers want or expect from universities; what politicians, what scholars and researchers, what students and their families want or expect from universities, … 

I apply the risk-based thinking at three levels:

- Context (considering clauses 4.1 and 4.2 of ISO 9001:2015. For example, risks coming from the economic evolution)
- Product and or service (considering clause 5.1.2 b) of ISO 9001:2015. For example, risks coming from online universities and very specific internet courses)
- Processes (considering clause 4.4.1 f) of ISO 9001:2015. For example, risks coming from “teacher selection and contract”.
 

I would work with a university trying to determine risks and opportunities:

- Reduce or minimize 1 (from the picture)
- Increase or maximize 2 (from the picture) – Example, no one will care if classes have electric light. Everybody will be upset if there is no electric light at a late of the day class
- Increase or maximize 3 (from the picture)
- Reduce or minimize 4 (from the picture)
 

The following material will provide you more information about risks and universities:

- Article - Should universities implement ISO 9001? - https://advisera.com/9001academy/blog/2015/04/21/should-universities-implement-iso-9001/
- Article - Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- Free webinar on demand – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

Environmental and Safety Management

If your organization is going to be audited only according to ISO 9001:2015, Environment and Safety management documents are not audited.

The following material will provide you more information about scope:

- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Preparing a Risk Assessment Procedure

The procedure should contain at least the following sections:

- How you identify your risks and opportunities - In this section you can describe a method which can include questions to answer during a brainstorming session with the relevant people of your organization or for instance conducting a SWOT analysis to better understand the risks and opportunities of the context of your organization. 

- How you determine the level of significance of each risk that has been indentified - In this section you need to establish certain criteria to determine a rating for each risk and opportunitiy. For instance the probablity of ocurrence is a criteron often used. 

- Which actions must be conducted to address the significant risks and opportunties - Here you define which measures must be taken according to the results of risk significance obtained.

- Review of the actions taken to address the risks and opportunities - In this section you define the frequency of the assessment to be done in order to check the actions that have been conducted to address risks and opportunities. 

For more information about how to write a procedure for addressing risks and opportunities, see the following materials:

- Article - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Expired calibration of infusion/drivers

Yes, it is a violation of both the regulations and the SOP. 

For more information about calibration, please read this article:

Calibration requirements in ISO 13485“ https://advisera.com/13485academy/blog/2019/03/08/calibration-requirements-in-iso-13485/

ISO 9001 process flow diagram

Considering the ISO 9001 process flow diagram.

Let us concentrate our attention on the activities. Think in terms of verbs, of actions. What do you see from the moment a potential customer contacts the laboratory and the moment that customer receives a report with the test results?

You can gather a team of people and with sticky notes draw a picture like this one:

This is why the laboratory exists. Those are the main, the operational processes.

Those processes do not work alone. They need support from other processes that supply resources. Perhaps you can see something like this:

Where is your laboratory going? To whom should it work? What kind of tests should perform?

This is typical of a management process that works in close relationship with two other support processes (commercial and developing new tests and services):

The following material will provide you more information about the process approach:

- ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- Free webinar - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Handling of requirements

If I understood correctly, you are referring to two possible situations:

• 1. Standard's requirements do not make sense to the purpose of the standard anymore
• 2 Standard's requirements do not make sense to your organization's context

In the first case, during the standard review (which occurs approximately every 5 years) such requirements can be excluded or reformulated.

In the second case, you have to verify in the standard if the requirement is mandatory or if there is any condition for exclusion that can be applied to your organization. In the case of ISO 27001, requirements from sections 4 to 10 are mandatory (you cannot exclude any of them), and controls from Annex A can be excluded considering the results of risk assessment.

Impact level in specification of security requirements

In this case, you have two options:

1 - Use the worst-case scenario for impact considering the threats and vulnerabilities in the category that is closest to the specific information system you want to determine the impact level for. For example, if you have a pair of threat and vulnerability with the highest level of risk and this one can be related to your specific information system, you use it as specification.

2 - Add this individual information system as a specific asset and identify specific threats and vulnerabilities for this information system and use them as specification of security requirements.

Please note that one criterion to choose the proper approach will depend on the criticality of these individual systems (the more critical, the more important is that this asset is considered individually instead of as part of a group). It will also depend on the type of risks related to the categories you have (sometimes useful risks can be identified from these general categories and you do not have to work on a specific asset).

Work instructions and processes

If you check the list of mandatory documentation - List of mandatory documents in AS9100 Rev D - https://advisera.com/9100academy/knowledgebase/list-of-mandatory-documents-in-as9100-rev-d/ you will see that only a few procedures are required. However, I recommend, and most organizations do it, having a set of procedures that describe: What is done; By whom; and When.

When detailed information about how to do it is needed, we use Work Instructions.

There is no universal standard way for writing Work Instructions. You can use:

- Written text;
- Drawings and diagrams like used with furniture mounting instructions;
- Sets of photos or pictures like in a comic book;
- Short movies explaining and showing how to do it;
- A mix of the above approaches.
 

Work Instructions should be written with effectiveness in mind. Will people understand and use it when needed? And when used will they be easy to understand? 

I try to avoid lengthy Work Instructions because people will, probably not use them.

The following material will provide you more information about documentation:

- Article - AS9100 Rev D vs. Rev C: What has changed? - https://advisera.com/9100academy/knowledgebase/as9100-rev-d-vs-rev-c-what-has-changed/
- AS9100 Knowledge base - https://advisera.com/9100academy/knowledgebase/
- Book - Applying AS9100 Rev D - https://advisera.com/books/applying-as9100-rev-d/