Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Device Master File Documentation & Record Control
DHF is abbreviation for Design History File which is a formal document that is prepared for each medical device. The DHF can be either a collection of the actual documents generated in the product development (PD) process or an index of documents and their storage location.
For more information, see: How to manage design and development of medical devices according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/08/24/how-to-manage-design-and-development-of-medical-devices-according-to-iso-134852016/ -
Transition in an engineering company
Answer:
For resources on the transition, I suggest you take a look at our web-page dedicated only to the transition: https://advisera.com/9001academy/2015transition/
When it comes to risks and opportunities, the standard doesn't require full scale risk management that includes documented procedure, criteria for evaluation, etc. It only requires organization to determine risks and opportunities and take actions to address them. This can be done by arranging brainstorming session with relevant peo ple in the company and talking about risks and opportunities or using some tools like SWOT or PEST analysis. For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Internal audit vs. Compliance evaluation
Answer:
In both cases, the aim is to determine whether the organization is conforming to the requirements, in case of internal audit conformance with requirements of the standard and in case of compliance evaluation conformance to legal and other requirements.
Although both internal audit and compliance evaluation require procedure, internal audit is more structured and defined process. Requirements for compliance evaluation procedure are more loose, basically, the only requirement for this procedure is to be consistent with commitment to compliance stated in OH&SMS (Occupational Health & Safety) Policy. For more information, see: How to identify and comply with legal requirements in OHSAS 18001 https://advisera.com/18001academy/blog/2015/06/24/how-to-identify-and-comply-with-legal-requirements-in-ohsas-18001/
On the other hand, procedure for internal audit needs to define responsibilities, competencies, and requirements for planning and conducting audits, reporting results and retaining associated records; and the audit criteria, scope, frequency and methods. For more information, see: How to perform internal audits in OHSAS 18001 https://advisera.com/18001academy/blog/2015/09/23/how-to-perform-internal-audits-in-ohsas-18001/ -
Política de calidad, objetivos e indicadores
Creo que con un ejemplo completo de todo el proceso de política, objetivos e indicadores sera un poco as fácil para nosotros definir estos temas.
Mi respuesta:
Como la política de calidad está centrada en los requisitos del cliente, entonces los objetivos de calidad deben basarse en cumplir con la satisfacción del cliente.
Un ejemplo podría ser el siguiente:
Si el propósito establecido en la política de calidad es"Entregar X producto a los consumidores cuando sea requerido, sin defectos y justo a tiempo"; entonces el objetivo el primer año podría ser: "Mejorar los tiempos de entrega en un 90% el próximo año", y el segundo año "Reducir los errores de entrega en un 3%".
El indicador de calidad para el primer objetivo podría ser: "Productividad de entrega", definida como "km realizados/número de entregas", y la frecuencia podría establecerse como "Mensual".
Para más información sobre objetivos, vea "Cómo escribir buenos objetivos de calidad" : https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-escribir-buenos-objetivos-de-calidad/
Para más información sobre indicadores, vea "Define Key Performance Indicators for a QMS based on ISO 9001"(en Inglés) : https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/# -
Maturity in ISO evaluation
When it comes to a system, if the system is already been used for example in 5 years and it has already a lot of records, it means that the system can adopt to any updates and changes if necessary to handle more records for another years of service. Am i right? Hnmmm.. or wrong.
Answer: I'm assuming in your example you meant "adapt" instead of "adopt".
Considering that, and the information in the article you've mentioned, a mature ISO system is one that can continuously improve, by means of corrective actions or by taking advantage of opportunities, and provide information to both evidence such improvements and support top management decision making in business issues (e.g. through results of key performance indicators).
These articles will provide you further explanation about continual improvement:
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
- Ke y performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/ -
Transition vs. 1st stage vs. Recertification Audit
Answer:
There is no such thing as transition audit, the audit performed to the system that went through transition and update to the new version of the standard is simply certification audit and has no difference than other certification audits. I assume that certification body is using the term transition audit to make it more clear to the clients, but there is nothing special regarding this audit.
1st stage audit is part of certification or recertification audit and it's purpose is to determine whether the documentation is compliant with requirements of the standard and to provide input for the 2nd stage audit which is also called the main audit when the auditors check compliance of the entire QMS to requirements of the standard.
Recertification audit is the same as certification audit, the only difference is that certification audit is conducted for the first time in the organization and the certification body and auditors are just getting famil iar with the company and QMS, while recertification audit is conducted after the certificate has expired and the entire certification cycle starts from beginning.
For more information, see: First-, Second- & Third-Party Audits, what are the differences? https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/ -
ISMS policy and ISMS framework ( global document)
1 - Can you please explain the contents that are needed to be included in these documents???
Answer: To be compliant with ISO 27001, an ISMS policy must define the purpose, direction, principles and basic rules for information security management.
To see an example of the content of an ISO 27001 ISMS policy I suggest you to take a look at the free demo of our Information Security Policy at this link: https://advisera.com/27001academy/documentation/information-security-policy/
For more information about ISMS policy, I also suggest you these materials:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
- Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
ISMS Framework usually stands for set of policies and procedures that need to be written to manage security in your company - for examples, see our ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
2 - Are ISMS objectives defined first or RA/RT is performed first??
Answer: The top-level information security objectives are defined before the RA/RT, because they need to reflect the external and internal issues that are relevant and can prevent the ISMS to achieve the expected results.
3 - Can organisations have ISMS policy defined before setting ISMS objectives? Because ISMS objectives are included in Policy, I believe policy is defined post objectives and these objectives are defined post RA/RT…
Answer: You can define information security objectives before or after you publish your top-level ISMS policy - both approaches are allowed since the objectives can be documented in a separate document. -
Incorporating ISO clauses in an internal audit
First thing is that if you have to verify compliance with ISO 27001 you need to have the standard with you. As best as a course can be, it cannot replace the letter of the standard during an audit.
Considering that, if your audit scope is primarily development team and their general knowledge around the existing policies, then you should focus on clauses 7.2 (competence) and 7.3 (awareness), to verify if the development team has the necessary knowledge, skills or experience to perform their activities and if they are aware about the importance of being compliant with the policies and controls and what is the impact of non compliance.
And even though you do not need to check the overall effectiveness of the whole ISMS, you have to check if the ISMS cycle has been completed in the development process, so you have to go through all clauses from sections 4 to 10, only focusing on the development process (e.g., you have to check the risk assessment of the development process, verify if the existent competence is capable to handle the risks identified as unacceptable, verify if the training activities performed were effective and verify the effectiveness of any non conformity or corrective action taken in the process).
This article will provide you further explanation about how approach a process in an audit:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
Although the article covers certification audit, the same concepts can be applied for internal audit. -
Do we need to implement all the controls from SoA for the certification?
Answer: You can leave some of the controls for the implementation for after the certification under the following conditions:
1) That you have implemented before the certification the controls that mitigate the biggest risks - in other words, you can leave only less important controls for after the certification.
2) That you have specified the deadlines for the controls that you will be implementing after the certification in your Risk Treatment Plan - of course, those deadlines must be after the certification date.
3) That your risk owners or top management accept all the risks for which controls have not been implemented before the certification.
This means that the most important controls must have "implemented" status at the certification, while the less important controls can have status "planned" or "partially i mplemented" at the moment of the certification.
See also these articles:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- Risk Treatment Plan and risk treatment process – What’s the difference? Risk Treatment Plan and risk treatment process – What’s the difference?
These materials will also help you regarding Statement of Applicability and the risk management process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
How is the ISO 27001 Internal Auditor Course structured
Answer: For this specific topic you should watch module 6 from the ISO 27001 Internal Auditor Course, which covers a general explanation of Annex A and goes through all Annex sections, from A.5 to A.18.