Search results

Calibration vs verification

You said you don't do outside calibrations. As a testing laboratory however, you need external calibration by competent parties to ensure metrological traceability. For example, the analytical balances.

You asked why the adjustment of instruments is not included in clause 7.4. Note that clause 7.4 deals with handling of test or calibration item (after the sampling step) and is applicable for laboratories handling items to be tested (testing laboratories) or calibrated (calibration laboratories).

It is clause 6.4 which deals with the requirements for equipment, including calibration of any equipment which can influence the validity or results generated (whether a test or calibration result). Here clause 6.4 requirements must be met for all equipment in the process, which in includes for example the components of the ICP, the standard used for the calibration curve and volumetric measuring devices used.

For more information and links to resources, see my reply to the question Equipment qualification at https://community.advisera.com/topic/equipment-qualification/

Addressing Impact Assessment (DPIA) requirement

According to article 35 in GDPR, “Data protection impact assessment”, DPIA is performed for personal data processing operations “likely to result in a high risk to the rights and freedoms of natural persons”. In the case of ISO, the risks that are documented and treated are related to the organizational information,while in the case of DPIA the risks are related to the rights and freedoms of natural persons. There are really good templates that can help you address these risk assessments in our EU GDPR & ISO 27001 INTEGRATED DOCUMENTATION TOOLKIT.

Please find more details here:

• Article 35 GDPR, Data Protection Impact Assessment: https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/
• How to assess consequences and likelihood in ISO 27001 risk analysis: https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
• 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
• Free webinar – Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR: https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/
• EU GDPR & ISO 27001 INTEGRATED DOCUMENTATION TOOLKIT: https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/

Right to Erasure

As a cloud hosting provider, according to article 28 GDPR, Processor, you should act as a Data Processor. In this case, the data subjects who have personal data on your servers on behalf of your customers must exercise their right to delete to the data controllers, (your customers), per Art 17 (Right to erasure) para 1: "The data subject shall have the right to obtain from the controller the erasure of personal data". You, as a Data Processor, if you receive a deletion request from a data subject, you should either forward the request to the right customer or inform the data subject that they should exercise their right towards the respective data controller. 

However, if one of your business customers request you to delete the personal data they are accountable for, you should comply with this request, because they act as a data controller, per Art 28 para 3 (e): "taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to requests for exercising the data subject's rights". Regarding data from the backups, that data is deleted anyway after a while.  

We are preparing a Live Virtual Training around How to handle a Data Subject Request according to GDPR, stay tuned for the announcements!

Please explore the following links to find more details:

• Art 28 GDPR – Processor: https://advisera.com/eugdpracademy/gdpr/processor/
• Art 17 GDPR – Right to delete: https://advisera.com/eugdpracademy/gdpr/right-to-erasure-right-to-be-forgotten/
• Right to be forgotten in the era when everyone seems willing to be remembered: https://advisera.com/eugdpracademy/blog/2019/08/26/gdpr-right-to-be-forgotten-an-easy-explanation/
• Data subject rights according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr/ 

Are there any things in ISO 9001 not covered by ISO 17025?

Although ISO 9001 requirements are very integrated into ISO 17025, as the approach and purpose are different (being  customer focussed),  you need to assess whether your compliance for certain ISO 9001 requirements is adequate. If your laboratory went straight to ISO 17025 accreditation, i.e Option A (not preceded with ISO 9001 certification) there may be gaps that exist. Depending on the extent a laboratory develops its QMS beyond the minimum requirements of ISO 17025, the level of ISO 9001 compliance differ. I suggest you do a gap analysis of your current QMS to the specific requirements of ISO 9001.

Look at the article ISO 17025 vs. ISO 9001 – Similarities and differences at https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities/

Also have a look at the Advisera 9001 academy resources at https://advisera.com/9001academy/, which includes resources to assist, such as whitepaper Clause-by-clause explanation of ISO 9001:2015 and the ISO 9001:2015 Gap Analysis Tool.

Acceptance of ISO 27001 Lead Auditor certification in Europe and US

ISO 27001 Leal Auditor certification issued by an accredited training provider is a globally recognized certification, being accepted all Europe and US. 

We are not aware of any specific legislation enforcing or forbidding the acceptance of such certification, however, the lead auditor certification is a requirement for people who want to work for certification bodies as certification auditors.

To determine whether ISO 27001 Lead Auditor certification is enforced or forbidden in specific countries, you should look for expert legal advice in the countries where you want to operate. 

This article will provide you with further explanation about the ISO27001 lead auditor course:  
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

This material will also help you regarding the ISO27001 lead auditor course:
- ISO 27001 Lead Auditor course https://advisera.com/training/iso-27001-lead-auditor-course/

Process Capability in ISO 9001:2015

No, process capability analysis for the use of process control is not a requirement in ISO 9001:2015

However, if it is a client requirement it must be performed.

Business Continuity Management

The Recovery Time Objective (RTO) means how fast after a disaster an organization wants its business to resume operations, and its definition is made through the Business Impact Analysis, which helps you understand the level of resources are required and the evolution of losses over time (in shorth, the faster the losses increases over time, the shorter the RTO needs to be, and more resources will be required).

As a reference to evaluate how much resources are enough, you should consider the losses to the organization if the operations are not resumed in a given time. For example, if the losses for not returning in 12h are US$ 200k, and the resources required to return operations at this time cost US$ 250k, then it is not practical to define an RTO of 12h. On the other hand, if the losses for not returning in 14h are US$ 1M, and the resources required to return operations at this time cost US$ 750k, then it is practical to define an RTO of 24h.

These articles will provide you with a further explanation about business continuity concepts:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
• Five Tips for Successful Business Impact Analysis https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/
• What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/ 
• Explanation of the most common business continuity terms https://advisera.com/27001academy/blog/2021/01/18/explanation-of-most-common-business-continuity-terms/

Amendments to ISO 27001 Toolkit

First of all, congratulations on your approval.

Included in the toolkit you purchased you are entitled to receive free updates for one year after your purchase date. In this situation, you will receive documents considering the appropriate changes. We will send you the updated toolkit shortly after the ISO 27001 update is officially published.