Search results

Issue with self-certification process  for class I product according  to MDR

Thank you so much, so  you don't need to register with each national authority where you are putting your device on the national Market

Excluding Clause 7.3 (Design and development) from QMS

If you do not develop completely new products or new services, then it is possible to exclude requirement 7.3. In other words, any change or adaptation of the product, creation of a new version of the product, or development of a new service means that requirement 7.3 is applicable.   

Safety Practice in Mining Sector

I have a question "an organization is AS9100 Rev D certified but organization has no production since one year from any customer then how can compliance of QMS can be interpreted? How internal audits be conducted? How KPI be translated ? What standard say that if an organization have no customer since long time then how QMS compliance be evaluated?

Validity of 17025 accreditation

You asked Once a lab is accredited to 17025, does this expire?

ISO 17025 accreditation is awarded for a cycle which could vary between two and five years, depending on the discipline and accreditation body’s policies. Before the end of the cycle, the laboratory needs to reapply for accreditation so that a new certificate will be issued before expiry. At this point the assessment will be as if as per original application,  in other words more thorough.

You also asked are there defined time frames for external audits, eg ever other year or so?

Yes these are called surveillance assessments. The frequency depends on the accreditation body, but are typically annual. I suggest you engage with the accreditation body to obtain specific information for your laboratory.

For more information have a look at the Webinar What are the steps in the ISO 17025 accreditation process? [free webinar on demand] at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar-on-demand/ or attend the next scheduled webinar on that topic.

Control charts and trending and level IV data validation

ISO 17025 as per clause 7.11 requires a functional validation of the laboratory information management system use for data collection, processing, recording, storage and retrieval. This means to verify the data integrity from all inputs to the final result. Typically the depth is dependent on the sector that the laboratory is supporting. For example, clinical trials and other regulated sectors will have more stringent requirements than ISO 17025.  I cannot tell from your question what Standard or regulatory requirement you are being assessed against and what the level IV data validation is requires specifically. This should be provided to you.

Basically the validation level of effort depends on the intended use of the data and the data quality objectives. On a risk basis it involves an understanding of how every quality control component affects the validity of the final result. For example, the risk of a false-positive or false-negative result.

Regarding control charts, I am not clear if you are referring to analytical, environmental or data related. Charting is a one of the quality process control activities /tools. Note that as per clause 7.7.1 Control charts are not mandatory, as long as monitoring the validity of results is planned (have a procedure) and the data is recorded in such a way that trends are detectable. This could be a simple table with the use of flags (e.g excel conditional formatting). ISO 17025 requires that where practical, a laboratory should use statistical techniques to review the results. Either way a control chart can typically be set up in Excel or software packages. From your analytical validation data you need to determine the permitted range of results upfront, you set QC rules and then you plot your ongoing data points to monitor any trends. The purpose is to proactively see if results are shifting from the expected measurements. Then you need to act on a correction. 

There are three steps 
1) Obtain QC data - say 30 analysis results obtained over time during your method validation.
2) Set the QC pass, fail and QC trend rules. These must be fit for purpose based on your required method performance. That is do you take action on a result of mean plus or minus one standard deviation or two or measurement uncertainty (MU) A simple approach uses mean and standard deviation. Depending on your measurement uncertainty (MU) decision rules, it may be more appropriate to use you MU as the limits.

3) Build the chart to indicate upper and lower limit within each result should fall within. For example, for a specific quality control check with a mean of 10 mg/ml and a Std deviation of 1 mg/ml you could set a warning at 1 SD (i.e. less than 9 and greater than 11 mg/ml and fail at over 2SD (i.e. below 8 and above 12 mg/ml. ) The set or running mean , upper and lower limits are charted on the graph. 

Then monitor and review upward, downward trends and act according to your preset rules.

For more information and a link to the Quality Assurance Procedure see https://community.advisera.com/topic/clause-7-7-7-7-1/

27001 question

1 - My question is, how granular should we get? 

ISO 27001 does not prescribe any level of detail for the inventory of assets, so you can adopt the levels you understand that will better fulfill your needs.

This is generally a balance between the administrative effort and the need for information to ensure proper security. For example, you do not need to record organizations laptops as individual assets (you can add a single asset called "laptop"), but if they have specific purposes with different risk levels you can use specific assets like "laptop", "development laptop", and "finance laptop". The same concept applies to developed systems and other assets. 

For further information, see this article:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

2 - Would an auditor need to assess individual product risks because one product uses more 3rd party service than another?

Please note that the auditor does not assess risks, he only checks if risks are being assessed properly.

Considering that, in case the auditor identifies this situation where one product uses more 3rd party service than another, he may want to check if the risks related to this product are assessed properly.

ISO 27001 and ISO 9001

Please note that it is not possible because ISO 9001 and ISO 27001 approaches for risk assessment are pretty different. Risk assessment for ISO 9001 needs to cover a broader range of topics than risk assessment for ISO 27001 (ISO 27001 focuses on information security risk assessment, while ISO 9001 focuses risks related to processes, products and services).

These articles will provide you a further explanation about risk assessment and document and record management:
- The Role of Risk Assessment in the QMS https://advisera.com/9001academy/blog/2014/01/07/role-risk-assessment-qms/
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Similarities and differences in risk management in ISO 9001, ISO 31000, and ISO 27001 https://advisera.com/9001academy/blog/2016/10/25/similarities-and-differences-in-risk-management-in-iso-9001-iso-31000-and-iso-27001/
- How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
- New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

This material will also help you regarding document and record management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Help: Creating risk management plan under ISO27005

1 - So I could drop ISO27001 and use 27005 on its own? That is something I didn't realize you can do, so I thought it might be acceptable to only include the plan parts in the risk management plan.

Answer: It is not mandatory to use ISO 27001 to use ISO 27005, but if want to be compliant with ISO 27001 cannot “drop” it and use 27005 on its own.

2. Is it common to use 27005 without 27001?

Answer: Although ISO 27005 provides a good framework for information security risk management, it is not common to use it without ISO 27001.

3. Sorry one last thing, is there anywhere quotable in ISO 27005 that says it's acceptable to leave parts out?

It would be useful for me to quote this to justify leaving out those sections as right now I'm just saying the scope of my plan is the plan stage only, but I have nothing to justify this choice.

Answer: Such quote does not exist in ISO 27005, but since each section covering steps of the risk management process is structured considering input, action, implementation guidance, and output, you can justify that you are using only a specific step by defining your scope in terms of the outputs you want.

ISO 27001 lead auditor

Please note that accreditation applies only to organizations that want to become certification bodies, i.e., organizations that can certify other organizations against a standard, like ISO 9001.

So, the statement is incorrect, because in that context the business should become certified not accredited.

For further information, see:

• Accreditation vs. certification vs. registration in the ISO world https://advisera.com/blog/2016/02/29/accreditation-vs-certification-vs-registration-in-the-iso-world/

Conformio Questions

For the “Procedure for Document and Record Control”, under the Record name, it is identified where you record the information about documents from external origin used in the ISMS (in your case the ISMS itself). This information is defined in section 4 – Documents of external origin when you are filling in the document through the Document Wizard.

Regarding "Storage Location", you can simply write Confluence Folder. There is no need to include a link.