Search results

Risk-based audit program

influence the possibility of meeting the audit program objectives 

Answer:

Not having enough resources to execute the audit program (time and or competent and independent internal auditors). 

interfere with auditees’ activities

Answer:

For example, wanting to audit an employee when he or she is performing a critical task that requires full attention. Or wanting to audit an employee with questions while he or she is interacting directly with a customer.

interfere with auditees’ processes

Answer:

This is similar to the last one. A process is a set of activities performed by one or more actors.

ISO 9001-Purchasing procedure

Most likely, in the current situation, the procedure is not being followed as there are new “actors” and authorities and responsibilities are no longer centralized.

If the present situation is acceptable and delivering good results, your organization can simply update the Purchasing procedure to reflect the present situation. Do not forget to check if job descriptions and competence requirements also need an update because of the new situation.

I as an auditor always like to see updates in documents, a sign that the system is alive.

The following material will provide you more information about document control:

New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
QMS Change Management in 7 steps - https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
- Enroll for free course - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

In which of our offices to start with the implementation of EU GDPR

You can start in whichever office you want, this is not something that is regulated by the GDPR. However, at the end of the day, all group companies need to be compliant.

I suggest that you start with the company which has the most complex processing activities.

If you want to find out more about the EU GDPR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//)

Security Master Plan

Security Master Plane is not a concept used by ISO 27001, but considering the following definition from SGW Consulting:

"The Security Master Plan" is a document which comprises of a report, drawings, and illustrations that set out the organization's security strategies, goals, plans, policies, and procedures. It is used to provide a detailed outline of the security risks and mitigation plans agreed between stakeholders."

The closest ISO 27001 related documents are:
- Risk assessment and risk treatment report: outline of the security risks
- Statement of applicability: plans, policies, and procedures
- Risk treatment plan: security strategies (i.e., treatment options)

Studying for certification

Regarding ISO 27001, there is no prerequisite to attend the courses required to take the exams for ISO 27001 Lead Auditor and ISO 27001 Lead Implementer certifications, so you can just enroll in courses with accredited exams, like our ISO 27001 Lead Auditor course (https://advisera.com/training/iso-27001-lead-auditor-course/)

This article will provide you a further explanation about the lead auditor course:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

Regarding PCI-DSS, CISM and CISSP, these aren't our area of expertise, but generally speaking, you have to provide evidence of experience and take an exam (you can study on your own or take a course, this will depend on the time you can dedicate and your discipline to study). For further information, including options for training, I suggest these links:
- PCI-DSS: https://www.pcisecuritystandards.org/program_training_and_qualification/pci_professional_qualification
- CISM: https://www.isaca.org/CERTIFICATION/CISM-CERTIFIED-INFORMATION-SECURITY-MANAGER/Pages/default.aspx
- CISSP: https://www.isc2.org/Certifications/CISSP#

Integrating ISO 27001 and ISO 13485

Unfortunately, we do not have this specific mapping available.

However, you can combine the information provided in ISO 13485 Annex B (which maps ISO 13485:2016 clauses to ISO 9001:2015 clauses) with the information provided in this free downloadable material to have a link between ISO 13485 and ISO 27001:

• ISO 27001 vs. ISO 9001 matrix (PDF) https://info.advisera.com/9001academy/free-download/iso-9001-2015-vs-iso-27001-2013-matrix

ISO 14001 and EIA

Yes, there is a relationship. EIA is used to determine and evaluate environmental impacts of products, processes, investments still in the project phase. So, an organization with an environmental management system when facing new products, new machines, new installations, as a good preventive practice should perform an EIA. It is another way of considering the life-cycle topic.

Please consider the following documentation about environmental aspects and impacts to go deeper in the topic:
Article - environmental aspects identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/knowledgebase/environmental-aspect-identification-and-classification/ 
Article - 4 steps in identification and evaluation of environmental aspects -https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/ 
Free webinar on demand - ISO 14001:2015 Identification and evaluation of environmental aspects -https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar/ 
Enroll for free in the course - ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/ 
Book - The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Enforcing GDPR in the United States

The Supervisory Authorities in Europe cannot enforce the GDPR outside EU borders. However, if that entity has a representative in the EU, that representative will be responsible for any infringement of the GDPR by the US company.

If you want to find out more about the extraterritorial reach of the EU GDPR check out this EU GDPR Foundations course (https://advisera.com/training/eu-gdpr-foundations-course//)

Changes in kit manual or kit inset

Instruction for Use (IFU) for In-vitro medical devices (IVD) must have unique reference to identify the right version of the IFU. This reference should allow the user to retrieve the applicable IFU. Usually, this unique reference mark is in small letter size put somewhere in the corner of the IFU. Each time you change something in the IFU, you need to mark the new revision of the IFU. Changes are best to be documented through the change control process. According to the ISO 13485 4.2.4 c) you need to ensure to differentiate different versions of the documents, and h) to prevent unintended use of obsolete documents.

On the following link you can find information on what information must be in the IFU and what is the purpose of Unique reference number: https://ec.europa.eu/docsroom/documents/10293/attachments/1/translations

For more about what are common mistakes in ISO 13485 documentation control please read the following article: 

Common mistakes with ISO 13485:2016 documentation control and how to avoid them  https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/

Label printing validation

Following things need to be considered for label printing validation:

1. Print quality and durability (Printability of the design, Computer printer selection, Abrasion resistance; preprint and imprint, Chemical and solvent resistance)

1. Adhere samples to appropriate substrates at accepted sample size.

- ASTM D3330, Peel adhesion of PS material

- ASTM D5264, Sutherland abrasion and smudge resistance test

- ASTM F1319, Crockmeter abrasion and smudge resistance test

- ASTM F2252, Ink adhesion tape test

- ASTM F 2250, Chemical exposure, inks & coatings

- ASTM D4169, Distribution testing, “Shake, rattle, & roll”.

- ASTM F1980, Accelerated aging

However, with regard to the need for process validation, the label printing operation can be rendered "non-special" since the process output is fully verifiable through subsequent inspection.