Search results

Risk assessment of impartiality

@sajid

i need some help

Hello!

Our colleague in charge will contact you shortly to assist!

Laboratory activities in Section 5 - Structural Requirements

Section 5 refers to legal business, organisational structure and management responsibility. Typically this is included in the Quality manual. You then have other procedures, appendices and associated records available to provide evidence that the stated approach is followed.

Clause 5.1 refers to the need for a legal entity.

5.2 Requires you to define who the Senior management are and who holds the top management position. This is for resource allocation (budget), dealing with any conflicts of interests in the laboratory. That is who has overall responsibility to ensure policies are supported and that quality /accreditation objectives are met. This person signs the quality  policy, typically approves the quality manual and chairs or oversees the Management Review.

5.3 Requires you define the scope of work (what you do) and state which activities comply with ISO 17025. Those are the tests you will apply for accreditation for.

5.4 Requires you to look beyond just your operational and quality preferences, the mandatory requirements of ISO 17025 and those of your accreditation body. You need to consider and include all applicable regulations and requirements of interested parties. For example, Safety laws, labour laws and any requirements of your sector for the laboratory to be registered or certified with a particular regulatory body.

5.5 a) Requires you have a clear management structure documented and to provide an organogram as defined.

5.5 b) ties in with clause 6.2. Personnel must be informed of their roles and this must be documented. For example, a small laboratory may not have a person appointed as a quality manager; however senior analyst may be required to perform the role of a quality manager together with other functions. This must be clearly stated and communicated.

5.5 c) This ties in with clause 8.2 Management system documentation. All mandatory requirements must be met plus any needed (processes, procedures and records) to control your specific risks (operational and quality) as necessary. These requirements should be directed by your policies, objectives and method performance. For example if turnaround time (TAT) for resulting is an objective, you need to document a way and use charts or other tools to monitor your success and risks of not meeting TAT.

5.6 Ties in with clause 6.2. Personnel must be assigned to the activities listed in a to e.

5.7 Is directed specifically at laboratory management. You have to define how communication is going to take place, such as how often you have meetings and how management idevelop a quality culture in the laboratory to meet your quality objectives. Secondly, management must have a system in place for change control so that  laboratory personnel, even if authorised, don’t just move ahead with changes to the management system to adopt opportunities for improvement without considering the risks to current operations and quality.

The Whitepaper Clause-by-clause explanation of ISO 17025:2017 may assist you, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

Questions about Stage 1, and Scope

1 - It is the certification body who is insisting that if we want to include development in the scope, and the relevant SoA controls, then all the developpers must be included. In our opinion not all the developpers are relevant for the ISMS.  What can we argue against that vision? 

Please note that if all developers have access to the information you want to protect, then all developers need to be included in the scope (the point is not if they are relevant or not, but which information they can access). In case you can evidence that the developers you do not want to include in the scope cannot access the information you want to protect, then you do not need to include these developers in the ISMS scope.

2 - You mention to reduce the scope. We dont have a specific requirement from our customers regarding the scope or the development department, but we think that since we develop software it should be included. Why do you think that doesnt matter and that it is ok to reduce the scope?

Please note that it is not a question if we consider if it matters or not to keep the development in the scope (this decision is up to the organization according to its objectives and strategies). The situation is that the certification body is suggesting you make some adjustments, and we just provide informed alternatives for you to make a decision.

In our point of view, if you want to keep the development process in the scope, you need to make the adjustments suggested by the certification body (more details about the rationale are in the answer to question 1). If you understand the adjustments are not necessary, you need to reduce the ISMS scope, so these points are not questioned by the certification body anymore.

Please note that you can keep the information security practices for development regardless they are in the certification scope or not. Maybe after some time, you have more data to decide to include it in the scope.

3 - Other questions, does really this little wording means so much in terms of who should be included in the scope?

"The information systems that support" vs "The operation of information systems that support"

Please note that when you refer to "The information systems that support", all personnel who interacts with the information systems needs to be included in the scope (e.g., IT personnel, users, customers, etc.).

When you refer to "The operation of information systems that support", you limit the personnel who interacts with the information systems to the people who keep them running, i.e., the IT staff.

Inquiry: ISO 17025 accreditation of a microbiological laboratory

ISO 17025 is applicable for all testing and calibration laboratories. There is no mandatory requirement to use standardized methods. When using a in-house developed method you have to show you can meet the performance requirement of the method to fit the purpose. In other words, achieve suitable accuracy and precision and other parameter such a s limit of detection, based on need and risk. i.e. tolerated variation in results.

For accreditation all mandatory requirements of ISO 17025 must be met. For technical requirements this includes method validation, ongoing internal quality control to ensure the validity of your results and participation in a proficiency testing scheme or interlaboratory comparison. I suggest you engage with your quotation body and pose the question to them of how you would proceed for your accreditation in your field. 

The Whitepaper Clause-by-clause explanation of ISO 17025:2017 may assist you, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

For more information on the mandatory requirements, see the Whitepaper Checklist of mandatory documents required by ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/checklist-of-mandatory-documents-required-by-iso-17025

ISO/IEC 27001/2 Harmonization

There still is no official date for starting the review of both ISO 27017 and ISO 27018 considering the new ISO 27002. The expectation is that this timeline will be published together with the information about the update of ISO 27001.

DMS/Apps - information/content delineation questions

1. What we are getting confused over is, what information/content can stay in Fibery and Hubspot (and other Collaborative apps like Confluence – which we will be using) and what we need to move into the DMS.  Is there any guidance on how to approach this? For example, if we leave ISMS related content in Fibery and point the hyperlink to the content is that OK ...

ISO 27001 does not prescribe where to store documents and files, so organizations can adopt the approach that better suits their needs, provided the standard’s requirements for creation, update, and control of documents are fulfilled.

Considering that, your approach of leaving ISMS-related content in Fibery and pointing the hyperlink to the content is acceptable, provided you fulfill the standard’s requirements for the creation, update, and control of documents.

For further information, see:

• How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

2. Another question is, most 3rd party apps provide features to create documents. For example, Fibery has a document function to create docs to their standards. However, they do not have the fields to store many of the ISO Document standards, like control info. and classification type. And access can be open to anyone authorised. Would it be fair to say, that any ISMS related documents and records should not be stored in such an App. ? 

Your understanding is correct. You should avoid the use of apps that cannot allow document management according to ISO 27001 requirements.

Question regarding Data Breach Response Team

A data breach is defined in Art 4 GDPR – Definitions – as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. According to Article 33 GDPR - Notification of a personal data breach to the supervisory authority – the data breach should be reported to the Supervisory Authority “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. When you assess the risks related to the rights and freedoms of data subjects, you need to ask what could happen to the data subject if the compromised data would be exposed.

If an email account is compromised, there are significant risks for conversations to be exposed, for email addresses to be exposed, attacked, or abused. All these risks need to be assessed and documented before deciding to report them to the authority. Anyway, the supervisory authority is requesting each data controller that reports a data breach to give all the details related to the data breach, including likely consequences for the affected data subjects.

In the EU GDPR Premium Documentation Toolkit, in directory 12 – Personal Data Breaches – there are two templates to help you: a procedure for Data Breach Response and Notification and a Data Breach Notification Form to the Supervisory Authority. If you fill in all the details in these two documents, you will know better whether to report the incident to the supervisory authority or not.

Please consult also these resources:

• Art 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
• Article 33 GDPR - Notification of a personal data breach to the supervisory authority: https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/
• 5 steps to handle a data breach according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/5-steps-to-handle-a-data-breach-according-to-gdpr/

ISO 27002 changes

Please note that ISMS audits are based on ISO 27001, not on ISO 27002. 

Considering that, until changes made in the new ISO 27002 are incorporated in ISO 27001 Annex A, ISMS audits can be based on the valid version of ISO 27001 standard.

This article will provide you a further explanation about new ISO 27002:

- 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

Undocumented Controls

Please note that by “All required ISO 27001 documents” we mean that our ISO 27001 Documentation Toolkit covers all mandatory documents and some documents that are not mandatory. The controls you listed do not need to be documented according to the standard, and in our opinion, it would be an overhead to document each and every one of them in a small company. 

Our toolkit is created specifically for smaller companies that want to implement ISO 27001 in a quick way, without unnecessary paperwork; for larger companies that require more documents, we recommend getting some other solution.

This article will also help you: 

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ 

Continuous responsibilities

Please note that “continuous responsibilities” refers to tasks without a specific deadline (i.e., they must be performed while the ISMS is being used) that must be performed on demand.

Considering that, you should consider such tasks as done for a specific demand when you generate the related evidence that it was performed.

For example, the task “Identify all legal, regulatory, contractual, and other requirements related to interested parties that can affect or be affected by information security management.”, is considered “done” when you update the Register of Requirements module.