Search results

Audit planning

For certification maintenance purposes, all elements included in the ISMS scope of each certification must be audited at least once during the 3-year period of the certificate validity, so all applied controls must be audited.

Considering your situation, an alternative approach would be for your organization to hire an external audit company to perform internal audits covering less critical controls, leaving you two free to focus on the audits covering the most critical controls.

However, you might have a problem with the level of details you are auditing - it is not necessary to audit each and every record, you can select only a representative sample. Learn more here: ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

This article will provide you further explanation about planning audits:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

Questions regarding GDPR

1. Is the GDPR applicable to the clinic if we have EU customers?

If you are specifically targeting clients in the EU then in relation to the processing activities of the health data the EU GDPR would be applicable.

2. We ask for some information form possible patients details about their health conditions and allergies. Is there any specific conditions to comply with?

If the health data is required strictly in relation to the medical procedure than it should be ok to ask for this information, You need to specify in your Privacy Notice for what purpose you are asking for health data.

If you want to find out more about Privacy Notices check out this webinar "Privacy Notices under the EU GDPR" (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).

3. Do we need a DPO?

If your main activities imply the processing health data of EU data subjects you should consider hiring a DPO or contracting a third party that can provide such services.

4. Do we need to ask for consent before asking the health data?

No, consent is not needed provided you ask for the health data in order to protect the vital interest of the patients.

5. We have a contract with a hotel where we keep the patients after the procedure. We send them the names of the patients to the hotel. Do we need to do something?

This highly depends on your activity and the types and categories of personal data you are processing, 

6. How much would it take to be compliant with GDPR?

You can get an idea on the duration by accessing this EU GDPR Compliance Calculator (https://advisera.com/eugdpracademy/eu-gdpr-compliance-duration-calculator/)

ISO13485 and MDSAP

Yes, our ISO 13485 Toolkit supports requirements of ISO 13485 in the MDSAP. ISO 13485 Toolkit takes you through all the MDSAP requirements and tells you WHAT needs to be done. MDSAP guides you on HOW to make individual requirement. So ISO 13485 Toolkit and MDSAP complement each other.

ISO 9001:2015 Questions

Thank you, verymuch sir  for enlighting

Intergación de procedimientos

Considero que es mejor tratar los procedimientos por separado, de hecho en nuestro paquete de documentos que integra las tres normas abordamos las cuestiones de forma separada, ya que se trata de una parte muy importante del sistema de gestión. Si se combinan los requisitos de las tres normas puede llevar a dejarse algo en el tintero. Por ejemplo, en el caso de la identificación de los aspectos ambientales y sus riesgos, es necesario llevar a cabo previamente un análisis sencillo del ciclo de vida del producto o servicio, para posteriormente identificar los aspectos ambientales significativo de los procesos que controla o influye la organización y los riesgos asocuados. En el caso del sistema de gestión de calidad simplemente se puede realizar un análisis DOFA (debilidades, oportunidades, fortalezas y amenazas) en el que se identifican los riesgos y las oportunidades y posteriormente son abordados aquellos que se consideran significativos. 

La ventaja de hacerlo de forma conjunta es que la organización ahorra documentación, pero como menciono anteriormente puede llevar a la falta de identificación de algún riesgo, aspecto ambiental, o peligro para la salud y seguridad en el trabajo, con las consecuencias que conlleva. 

Estos materiales pueden ayudarle con la identificación de los riesgos y oportunidades en ISO 9001

- Artículo - How to identify risk significance in ISO 9001:2015: https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/

- Artículo - How to identify risk controls in ISO 9001:2015: https://advisera.com/9001academy/blog/2019/01/21/how-to-identify-risk-controls-in-iso-90012015/

- ISO 14001 - ISO 14001 risks and opportunities vs environmental aspects: https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/

- Artículo - Hazards vs risks: what is the difference according to ISO 45001: https://advisera.com/45001academy/blog/2016/03/23/hazards-vs-risks-what-is-the-difference-according-to-disiso-45001/

- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

- Libro – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/

"Shall" statement

This is a question that often comes up during webinars. How to evidence something that ISO 9001:2015 does not compel to document?

This is why I believe ISO 9001:2015 is better understood from the point of view of an organization that had never implemented a quality system and is starting from scratch. Let me answer with an example. Consider an organization that has nothing written about risks. How can they evidence that risks were determined, evaluated and actions were taken?

Let us consider the process “Buy material”.

Can anyone order materials to a supplier? 

- No, only authorized functions
- Can you order a material from any supplier? 

No, only suppliers included in the Suppliers Approved List
- Can delivered materials be sent directly to production? 

No, only after a quality control done by the warehouse.
- Can non-conforming material be sent to production inadvertently? 

No, non-conforming material is labeled as non-conforming as is segregated to a special space.
- Come on people operate your process they can fail. 

Yes, they can fail but yo minimize that we defined competencies for each function, we select and train people according to those competencies

You see, these are things that an organization with a quality management system already implemented is already doing to avoid or reduce risks, without using that terminology. So, search for evidences like these. I’m sure you can find them if you put another kind of lenses.

The following material will provide you more information about auditing:

- Article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ (there is no shortage of mandatory records that can be used to check evidences by “triangulation”)
- Free webinar on demand – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

IT Auditor Skills improvement

Job security and career growth depends on many parameters. Some of them are influenced by your efficiency and results and others are business/economic related. Here are a few examples:

• Your expertise
• Your efficiency/results you'll achieve
• Customer feedback
• Professional approach
• Market (and conditions on the market)
• Number of customers
• Etc.

This article (although written for ISMS, it's completely applicable to other standards as well) will help you understand how to become Lead Auditor:
How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
You can Enroll for free to our ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

Applicability of EU GDPR

The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation’s laws.

When the data of EU citizens is processed outside of the EU by companies which are also outside the EU, then this is not considered to be “in the Union”. For example, the EU GDPR will not be applicable for a school which is based in the United States just because there is a possibility that one or several of its students would be EU citizens. In this case the processing does not take place “in the Union,” nor is the individual “in the Union”.

If you want to find out more about the EU GDPR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).

Guidelines for implementation

To start your implementation of AS9100 Rev D there are three things that are important to know. The first is the overall process that will need to be followed, which you can see in this downloadable diagram: AD9100 Rev D implementation diagram, https://info.advisera.com/9100academy/free-download/as9100-rev-d-implementation-diagram. The second thing to learn is the requirements of the standard, which you can find an overview at this link: Clause-by-clause explanation of AS9100 Rev D, https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d Finally, it is important to understand what necessary documentation is needed, which you can find here: AS9100 Rev D List of Mandatory Documents, https://info.advisera.com/9100academy/free-download/as9100-rev-d-list-of-mandatory-documents

The Auditing Process

In the certification audit it was established that your organization’s quality management system (QMS) complied with the requirements of ISO 9001:2015.

In the surveillance audit, auditors will be less concerned with the design of the QMS and much more focused in getting evidences about:

• Is the system still implemented?
• Is the system effective?

That way, the approach that you designed is valid.

The following material will provide you more information about the surveillance audit:

- What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
- Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
- Enroll for free course - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/