Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27005 Annexes
Answer: Annexes B (Identification and valuation of assets and impact assessment), C (Examples of typical threats) and D (Vulnerabilities and methods for vulnerability assessment) from ISO 27005 are compilations from common practices and situations found in the market, so there is no problem to adopt them in your framework
This material will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
ISMS audit
Answer: I'm assuming that you are interested in performing the internal audit, and to help you with this I suggest you the following material:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- 7 ways to improve the internal audits of your ISO 27001 ISMS https://advisera.com/27001academy/blog/2017/08/28/7-ways-to-improve-the-internal-audits-of-your-iso-27001-isms/
Additionally I suggest you to take a look at our ISO 27001/ISO 22301 Internal Audit Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
This toolkit will provided you templates to build your internal audit process, audit plan and other documents require to perform an i nternal audit according ISO 27001.
These materials will also help you regarding ISMS audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Who can sign a CofC in AS9100?
machined parts to various external customers?
Answer:
The relevant clause of AS9100 Rev D that discusses this is Clause 8.6, Release of Products and Services. In this clause there is a discussion on not releasing the product or service until all planned arrangements are met, or any difference is agreed to, and ends with the requirements to have documented information on the release of the product or service, which is often a C of C in the aerospace industry as you have indicated (even though AS9100 does not use this term). The requirements for this documented information is that it includes a) evidence that the product and service is conforming, and b) traceability to the person(s) authorizing release.
So, AS9100 does not say who that authorizing person needs to be, it is up to you to determine this. In general, what you would need to do is determine the competence that is needed for authorizing the release, and then dete rmining who has that competence. If you can show that the documentation tech has the competence to look at all of the documented evidence that shows that the machined parts are conforming to all requirements and determine that what you are sending meets those requirements or has been accepted otherwise, then you will have an argument that this person can do this task. Of course, this does always link back to the customer contract, so if they identify who needs to sign the C of C then there is nothing to really justify. If they ask for the quality representative, then it is hard to argue.
If you want more information on the quality representative in the AS9100 QMS take a look at this article: https://advisera.com/9100academy/blog/2017/09/25/who-is-the-best-person-to-be-as9100d-quality-representative/ -
Internal auditor competence
Answer:
In order to demonstrate competency, the internal auditors must demonstrate understanding of five points listed in the standard under the clause 7.2.3. The standard doesn't say how to verify the competence, so it can be done in any way that the organization finds the most appropriate, whether it is by attending internal auditor courses and providing certificates, or by conducting internal training and testing the auditors against the above mentioned criteria.
As far as the second-party audits are concerned, the standard also defines requirements for competency in clause 7.2.4, and again it does n't require certificate and neither it defines the method for verification of their competence, so the same rules apply.
Internal auditor course is a good way of demonstrating competence, simply because it provides documented evidence provided by the third party.
For more information, see: Requirements for competence of IATF 16949 internal auditors https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/ -
IATF 16949 9.3.2.1 identifying potential field failures
Answer:
A field failure is in a broad sense, a failure of the product when used by the customer, or the end user in the intended application. Quality field failure data has often been described as the ultimate source of reliability information.
Usually, the organizations are counting failure events and assess their effect of the end user. And this is just a initial type of information the organization must have. Depending on the type of product the organization manufacturers, there can be different KPIs established, for example number of failures/number of field operational hours. This covers only the requirement 9.3.2.1 k), for requirements under j) the organization needs to conduct FMEA analysis in order to determine potential field failures and their potential frequency and effect and to take actions to mi tigate this risk.
For more information, see: What is FMEA, and how to apply it in IATF 16949 https://advisera.com/16949academy/blog/2017/09/06/what-is-fmea-and-how-to-apply-it-in-iatf-16949/ -
FDA 21 CFR Part 820 vs ISO 13485
Answer:
They have several differences, which is what have kept them from harmonizing. ISO 13485 is a standard based on ISO 9001 that is specific to medical devices. This standard is not adopted by the Food and Drug Administration (FDA) but the FDA participated in writing ISO 13485 to make sure their requirements and ISO 13485 are aligned. The FDA QSR has more stringent complaint handling & reporting requirements
However, if a company meets the requirements of ISO 13485:2003, they should easily be able to meet the FDA Quality System Requirements (QSR).
For more information, see: Differences and similarities between FDA 21 CFR Part 820 and ISO 13485 https://advisera.com/13485academy/blog/2017/10/05/differences-and-similarities-between-fda-21-cfr-part-820-and-iso-13485/ -
Quality objectives and values
Answer:
You can use the “core purpose” of the company to develop a quality policy, and by doing that follow clause 5.2.1 a) of ISO 9001:2015. But you should also include the commitments mentioned in clauses 5.2.1 c) and 5.2.1 d). Quality Objectives and “core values” are not the same thing. Quality objectives is something that your organization wants to meet in the future, it is a tangible result. “Core values” are operating philosophies or principles that guide an organization's conduct.
The following materials will provide you details about Quality objectives:
- Article - How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Process vs department
Answer:
A department not tracking and measuring objectives is not necessarily not complying with clause 9.1 of ISO 9001:2015. The standard does not mention departments, the standard promotes the process approach. If you consider the scope of your quality management system (QMS), any process belonging to the scope of your QMS, according to clause 4.4.1 c), must have performance indicators and targets and must be monitored. So, if a process is not tracking and measuring objectives it is not complying with clause 9.1.
The following material will provide you information about the process approach:
- ISO 9001 – ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2 015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 22301 implementation
Answer: You can save up to 75% in terms of time and effort to implement ISO 22301 when compared to your previous ISO 27001 implementation, because these standards have a lot of requirements in common (e.g., control of documents, internal audit, management review, etc.).
2 - Also I’ve seen that ISO 22301:2012 will be replaced (https://www.iso.org/standard/50038.html) with ‘ISO/NP 22301’ and we were wondering how much will change.
Answer: The ISO/NP 22301 is on its early stage of development, so there are not much information about what will be changed until its final version, but for now we can expect the inclusion of the concept of resilience, which is far more embracing than business continuity to ensure business survival. The following article will provide you more information :
- Organizational Resilience – Positioning Against ISO 22301-Based Business Continuity https://advisera.com/27001academy/blog/2017/11/08/organizational-resilience-positioning-against-iso-22301-based-business-continuity/ -
GDPR compliance for possible new start up business
how much will a short consultation be with you?