Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Design Control Documents
Answer:
For the design control document, we do have one available on hand: https://advisera.com/13485academy/documentation/procedure-for-design-and-development-iso-13485-2016/ .
Concerning the user requirements, you should think about the roles of each function in the company with respect to design and development. Some examples of inputs could be intended application, usability requirements, risk control and etc. For outputs, you should factor in raw materials, manufacturing processes and quality assurance.
For more information, please refer to:
-How to manage design and development o f medical devices according to ISO 13485:2016: https://advisera.com/13485academy/blog/2017/08/24/how-to-manage-design-and-development-of-medical-devices-according-to-iso-134852016/ -
Defining the vision of a company
Answer:
A vision statement is future-based, and its purpose is to inspire and give direction to employees. Your company is on a journey to become what? If everything goes well what kind of company do you want as a whole to become? When I help organizations define their vision, I invite people to think about what would make them proud of working for that organization or owning that organization. Don’t think about what needs to be done, that is strategy stuff, do a time travel to the future and describe what you see in that future. What kind of work does it do, for what kind of clients does it work, how is it known, why is it praised, why does it make a difference? Keep it short, simple and focused to be of help and motivation.
The following material will provide you more information:
- ISO 9001 – Aligning quality objectives of the QMS with the strategic direction of the company - https://advisera.com/9001academy/blog/2017/03/07/aligning-quality-objectives-of-the-qms-with-the-strategic-direction-of-the-company/
- To what extent should top management be involved in your QMS? - https://advisera.com/9001academy/blog/2016/11/22/to-what-extent-should-top-management-be-involved-in-your-qms/
- you can enroll for free at ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Changes in the Organization Chart
Answer:
Yes, you can. Later, when the certification body schedules with your organization the next surveillance audit, your organization can send them a new version of the organization chart.
The following material will provide you more information:
ISO 9001 – What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
You can enroll for free at ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Becoming technical writer
Answer:
For BC and DR documentation elaboration jobs I suggest you to consult this list from DRJ (Disaster Recovery Journal): https://www.drj.com/business-continuity-consultants/all.html
Additionally, if you want to participate as contributor to 27001 and 22301 standards you have to contact the standardization body of your country to verify if it has working groups related to these standards and submit your resume. -
Lead Auditor certification renew
Answer:
To renew your certification you have two options:
1 - You should consult your certification issuer, or other accredited training provider, to verify if they provide an update course related to your lead auditor certification. Normally these courses are available after a new version of a standard is released. Such courses presents to auditors what has changed in the release of a new version of a standard, and can be used to renew a certificate.
2 - You can take a full course and retake the exam. Here you can have access to the accredited Lead Auditor course provided by Advisera: https://advisera.com/training/iso-27001-lead-auditor-course/
It is important to no te that for purposes to become an auditor for a certification body you have to renew your certificate before the three years period validity of the lead auditor certificate expires. -
Application of AS9110
Answer:
While AS9100 Rev D applies to any manufacturers in the aerospace industry (specifically Aircraft, Space and Defense organizations). AS9110 is specifically for aviation maintenance organizations, precisely for organizations that do repair and overhaul for the aircraft industry. This standard is for companies that take parts from aircraft, such as motors, and repairs or overhauls them to make them work again. It is not for standardized repairs of a company’s own products as part of a customer return scenario.
So, you are correct, unless a customer or legal entity specifically requires that a company is AS9110 certified, this may not apply to you. If you do overhaul functions for aircraft electronics you may wish to investigate this standard for these operations, but not if you are strictly fix ing customer returns, and certainly if you are not in the aircraft portion of the aerospace industry.
For more on the differences, see the article: How does AS9110 & AS9120 relate to AS9100 Rev D?, https://advisera.com/9100academy/blog/2017/10/30/how-does-as9110-as9120-relate-to-as9100-rev-d/ -
Matters to consider when determining R & O
Answer:
When working with an organization to implement a quality management system according to ISO 9001:2015 I consider three main sources for risk determination.
(4.4 f)) - Risks related to processes.
For example: What can go wrong in the process above that make’s bad parts and bad packages? What opportunities are there for improving productivity or reducing cycle time?
(5.1.2 b)) – Risks related to products and services. What can go wrong with products and services when used by customers?
(6.1.1) – Risks related to clauses 4.1 and 4.2. For example, the government can publish legislation that works as a barrier to competitors and makes our organization win market share. For example, technological evolution can make our production process obsolete.
The following material will provide you more information about risks and opportunities:
ISO 90 01 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
How to identify risk controls in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/21/how-to-identify-risk-controls-in-iso-90012015/
How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
Free webinar on demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//
Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Background check for suppliers
1. Within the Supplier Relationship requirements, we were instructed by a previous ISO 27001 consultant that we should confirm background checks are being conducted on any suppliers which have physical access to our property, or have access to our data and network. After reviewing “11.A.15.2_Supplier_Data_Processing_Agreement_Integrated_EN.docx”, there doesn’t seem to be any agreement to background checks by the “Processor”. But, within “11.A.15_Supplier_Security_Policy_Integrated_EN.docx”, the policy states under the screening section(3.2) that screenings may be necessary. Are background checks not a requirement for Suppliers within ISO 27001?
Answer: Background checks, as part of the screening process, as any control from ISO 27001 Annex, must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., contracts, laws, and regulations) that require the implementation of the control
- There is a top management decision requiring the implementation of the control
If none of these options occur there is no need to implement a particular ISO 27001 control. So background checks do not need to be implemented if there are no risks, there are no particular requirements, and there is no decision from the management.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
2 . Is there an updated “11.A.15.2_Supplier_Data_Processing_Agreement_Integrated_EN.docx”, which includes background checks, or can you provide the verbiage to include? Please let me know if you need any further details in order to answer these questions.
Answer:
You have the up to date version of the “11.A.15.2_Supplier_Data_Processing_Agreement_Integrated_EN.docx”, but if, considering the previous answer, you understand that you need to apply background checks, you can schedule a meeting with one of our experts and he will help you to develop this text. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/ -
Templates content
Answer:
To mention references is not mandatory for ISO 27001, but this is considered as a good practice, because it makes easier to identify which requirements the document is fulfilling, which in turn makes easier the job of auditors to check the documents, and the job of document owner's to review and update them. -
Policy statement
Answer:
First is important to understand that these policies are different because they have very different audiences. ISO 27001 policy is to be used by top management, while ISO 9001 policy is for public display. We do not recommend to try to shorten the ISMS policy to a one page document because there is a risk of the document does not fulfill standard's requirements
You can develop a public display version of the ISMS policy to fulfill your needs, but this version has to have a disclaimer informing that it is not the full version of the ISMS polic y, where you can find the full version, and that this version does not deviate from the content from the full version.
Considering all this, to create a version of the ISMS policy statement in the same format as the Quality policy, as general guidance you should change the references from ISO 9001 to ISO 27001, because most of the requirements are the same. For example:
- in the first paragraph you should have something like this: "The basic orientation of [organization's name] [include here the objectives defined on section 4.1 of the ISMS policy]"
- in the bullet related to commitment you should have something like this: "Commitment to protect information from [processes/services described in the ISMS scope document]"