Search results

SHEQ

Thank you very much. This was a confirmation for me.

Quality objectives and Internal and External Risks

1.How to submit to our dept/unit (Human Resources) the quality objectives?

Your organization defined some quality objectives and you need to deploy them to the HR department. I would start by a presentation from top management communicating to all what are the quality objectives and why are they important for all. Then, I would meet the HR manager to work with him or her around the question: how the HR team can contribute to meet these objectives. For example, a quality objective like "Reduce delivery delays by ..." may be helped through reducing absenteeism. Can HR assume a departmental objective to reduce absenteeism? If that is the case do not forget to include how much the organization saves (or not lose) by reducing delivery delays and absenteeism.

2.How to submit to our dept/unit (Human Resources) the internal & external risks that can affect the intended objectives of the dept/unit quality management system

Start with the intended objectives, I always recommend starting from there when determining risks and opportunities. What can be seen as a promoter of friction against meeting the objectives? Those are the risks.

What could undermine your intention of reducing absenteeism? You can call a team and develop a brainstorm, perhaps using a cause-effect diagram to develop a list of possible risks.

After listing those risks evaluate them.

The following material will provide you more information about quality objectives and risks:

- Article - How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/

- Article - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

- Article - How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/

- Free webinar on demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//

- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

- Book - Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Defining the implementation approach

1 - What would be the best approach for us to get certified for ISO 27001? Self-implement, consultant?

 Answer: The most common approaches to implement ISO 27001 are:

• Use your own staff to implement the ISMS
• Use a consultant to perform most of the effort to implement the ISMS
• Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.

Each one of them has its advantages and disadvantages. For more information, I suggest you the following materials:

• 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
• Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
• ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

2 - Is the initially defined scope practical in your expert opinion?

Answer: Separated scopes certified at different times is a good approach when you have limited resources and some business units, besides the head office, are more critical than others (you can certify them in the order more relevant to the business).

It is important to note that you do not need to certify other business units after the head office (if ISO 27001 certification is more urgent for business units you can start with them).

For further information regarding scope definition, see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

3 - Are your templates and services applicable to our company as it's designed for small and medium corporate?

Answer: It is true that our templates are designed for companies of up to 500 employees. Therefore, for organizations with more than 500 employees the templates will require you to add more text into some of the documents (e.g. into the Risk Assessment Methodology) to address higher complexity of the company of your size. We do have couple of larger clients who adapted the templates successfully.

Stage 1 Auditing

Stage 1 audits are about documentation and are normally performed in a meeting room. The main purpose is to evaluate the design of the management system against the standard, stage 2 audits are performed at the places where people do their jobs and are much more practical, much more about whether the employees are complying with everything that is written in the documentation. This is achieved by means of interviewing the employees, examining the relevant documents, records, forms and guidelines and also by visiting relevant areas of the organization. 

So, normally, during stage 1 audits auditors will not check quality control records although they might want to check management review records.

The following material will provide you more information about certification audits:

- How to prepare your company for the ISO 9001 certification audit - https://advisera.com/9001academy/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Preparing for ISO Certification Audit: A Plain English Guide - https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

Facilities Validation Master Plan

Each Validation Master Plan (VMP) must outline the following: principles involved in the qualification of a facility, defining the areas and systems to be validated, and provides a written program for achieving and maintaining a qualified facility. A VMP is a document that details the way a company will operate, who has control over the various aspects of the validation activities, and how production, quality control, and personnel management will be directed. Ideally, from a risk perspective, the VMP should include an overall assessment of the potential impact of the R&D processes on the quality of the new product. When you use a risk-based approach, then VMP will identify which processes to validate and in what order to perform the validations.

By performing validation, an organization can make sure that the processes can produce the planned results consistently.

For more on how to perform validation, please read the following article: 

Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/

CE-MDD marking, NBOG Scope Expression and GMDN code

In most certification bodies, the last date for medical devices to be CE marked according to the MDD 93/47/EEC is 1st November. After that date, all new medical devices must be certified according to new Regulation 2017/745 on medical devices (MDR): https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0745&from=EN  

For classification, you have to look in Annex VIII of MDR where all rules for classification are. In my opinion, your device is going under Rule 8 for all implantable device, but since they „are spinal disc replacement implants or are implantable devices that come into contact with the spinal column, in which case they are classified as class III with the exception of components such as screws, wedges, plates, and instruments.“ Therefore, if your spinal implants ARE NOT screws, wedges, plates, and instruments, than your spinal implants are class III.

For other questions, I suggest that we talk over Skype or similar services as it will be easier to explain the terms sought.

Auditing suppliers

How can I make a statement to my suppliers informing them that I am implementing an ISMS and that at later dates we will be auditing suppliers?
Will they have an example?

ISO 27001 does not prescribe the form to be used for such communication, only that an organization must determine the need for internal and external communications relevant to the
ISMS, considering what to communicate, when, with whom, who shall communicate, and processes to be used.

Considering that, you can use already implemented methods and forms you have (e.g., paper memos, e-mail, etc.).

The most important thing regarding this situation is that you must review the contracts and service agreements with your suppliers to identify legal clauses that can support your demand to audit them (you should make reference to these clauses in your communication). In case you do not have such clauses, you will have to consider review the contracts/service agreements.

This article will provide you a further explanation about supplier security:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
- How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/

Safety policy, hazard identification, risk assessment and evacuation policy importance

1. What do you know about health and safety policy and Sherq policy and how would you go about developing/formulating and implementing them?