Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
AS9100 Root Cause & CA
Answer:
Giving generic root causes and corrective actions is difficult because when the corrective action process is done well it needs to be very specific for the systematic problem that was faced. For instance, if you were investigating an error in the design of a part you may find that there was a root cause problem with the calculations cause by an input error in the program and the corrective action would be to correct the drawing and put in a better check system for the inputs. However, if you found that the root cause was due to a previously unidentified problem in the calculation system you may need to take action to put in place the temporary check procedures and systems corrections and updates necessary to address this risk which could entail a very lengthy implementation plan.
For a better understanding of how the corrective action proce ss differs from improvement see this article, “Corrective actions vs. continual improvement in AS9100”, https://advisera.com/9100academy/knowledgebase/corrective-actions-vs-continual-improvement-in-as9100/ -
ITGC
Answer:
IT General Controls are controls that are common to IT processes, providing stable and effective operation of application controls. They cover fields like creation / acquisition of systems, SDLC Process, access control, back up, change control, etc. ISO 27001 is one way to implement ITGC, providing objectives and, through ISO 27002, detailed implementation guidance.
For more information, please see: - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
2.What is the difference between external and internal auditors and practically how internal auditor assists external auditor ?
Answer:
The internal auditor performs audits on behalf of the organization that owns the management system, while the external auditor performs audits on behalf of an organization's client (second-party auditor) or a certification body (third-party auditor). Norm ally the internal auditor may act as the guide for the external auditor, providing some general orientation for the performing of the external audit.
These articles will provide you further explanation about auditors:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
- First-, Second- & Third-Party Audits, what are the differences? https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/ -
Change policy
Do you think it is possible to exclude A.12.1.2 for this area from our applicable controls without loosing the certification status?
Answer:
If I understood correctly, the only issue in your current change process is about raising the change in advance. Considering that, the standard requires to control the changes, not necessarily to "raise" them in advance, so there is no need to exclude all the control (you can only exclude the "raise" in advance part).
To exclude a control you have to demonstrate that this exclusion won't arise unacceptable risks, neither will mean not fulfilling contracts, laws or other legal requirements that your organization must be compliant with.
If you can satisfy these conditions this exclusion will not affect the ISO 27 001 certification (but it does not seem your case).
This article will provide you further explanation about controls applicability:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Product Realization requirements for distribution and manufacturing facility
1. The facility is a manufacturing and distribution warehouse. Do I still need to meet clause 7. Product realization requirements as per the standard?
2. Do we need to keep medical device files for all our stored substances or is this for a manufacturer only?
Thanks for your help
Answer:
1. I am currently doing an ISO 13485 system for the first time. I have several years of experience in ISO 9001 and EHS but need help in 13485, please. The facility is a manufacturing and distribution warehouse. Do I still need to meet clause 7. Product realization requirements as per the standard?
Answer: If you are providing services of distribution and manufacturing to external medical device clients, yes you have to meet Clause 7
2. Do we need to keep medical device files for all our stored substances or is this for a manufacturer only?
Answer: Yes, keep a copy of the medical device files.
For further information, you can refer, to :
What is ISO 13485?
https://advisera.com/13485academy/what-is-iso-13485/
Clause-by-clause explanation of ISO 13485:2016
https://info.advisera.com/13485academy/free-download/clause-by-clause-explanation-of-iso-13485
Checklist of ISO 13485 implementation and certification steps
https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/ -
Environmental aspects with a jeans producing company
Answer:
I have no previous experience of working with a jeans producing company. However, I would start by designing the jeans life-cycle:
Raw material production and transport
Raw material preparation
Denim production
Garment production
Transport and retailing
Distribution to the end user
Recycle or Reuse or Waste management
Then, according to the organization’s capacity for controlling or influencing interested parties along the jeans life-cycle, I would start listing environmental aspects. Their evaluation can be done according to one of several methodologies easily available.
The following material will provide you information about environmental aspects assessment and their evaluation:
- ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- Environmental aspect identification and c lassification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
What is the purpose of the scope of a QMS
Answer:
An organization, a business unit or a hospital, can have several lines of products, can have different markets, can provide different services. Once an organization decides to implement a quality management system (QMS) and certify it, the organization is not obliged to integrate all those services, lines and products under the QMS and subject all activities to certification. For example, a hospital with 10 different services can decide to certify only 2 (Diagnostic Imaging and Gastroenterology). Deciding the scope of the QMS is not a technical decision, it is a management decision.
The certificate describes the scope of the QMS in order to avoid misleading any interested party.
The following material will provide you more information about scope definition:
- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Fo undations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Organizing documentation
Answer:
First thing to do is to identify which documents must be accessed by which persons or roles, so you can group them in a way that will minimize risks of unauthorized access.
Considering that, files and folders generally are organized in terms of departments or processes where they are used.
These articles will provide you further explanation about control of documents and records:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
- Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/ (Although this article is about a different standard, these principles are still applicable to ISO 27001). -
Scope definition and its implications
Answer:
Yes, your company can limit the scope to the production of a set of specific chemicals.
The following material will provide you more information about scope definition:
- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/ urse/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Emergency Situation identification
For example:- Fire & explosion emergency and how identify emergency situations from Fire & Explosions.
Answer:
The main requirement form ISO 45001 and the OHS management system is to identify potential emergency situations and then create response plans for them, these situations need not be broken down further unless the company determines this to be necessary. There are a number of ways to identify emergency situations; look at legal requirements for emergency response, review the hazards and risks you identified for your processes, and look to industry guidelines and rules that might exist.
Remember the important this is to identify what could go wrong in your workplace that could lead to an emergency and make a plan to respond.
You can learn more about hazard identification in this article: How to identify and classify OH&S hazards, https://advisera.com/45001academy/blog/2015/05/14/how-to-identify-and-classify-ohs-hazards/
For more information on what needs to be documented for ISO 45001 see our whitepaper “Checklist of Mandatory Documentation Required by ISO 45001”, https://info.advisera.com/45001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-45001 -
Risk assessment and risk management
Answer: Risk assessment is the process to identify, analyse and evaluate risks, so you can prioritize them, allowing you to focus on the most relevant risks and optimize resources.
2. What is the difference between threat and risk?
Answer: Threat is an agent (e.g., a person, a malware, a natural event, etc.) that has the potential to cause an incident, while the risk is the relation between the impact and the probability of an incident to happen.
These articles will provide you further explanation about risk and threats:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
This material will also help you regarding risk and threats:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/– this is a series of 25 videos that cover various topics related to security.