Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Are test labs required to have certified lead and internal auditors as a requirement for ISO 17025 Assessment?

    If you are referring to the need for auditors to be certified, then no, there is no specified need to be certiifed. Internal Auditors need to be competent to perform internal audits for their facility, meaning have the depth of knowledge and understanding of the purpose of ISO 17025, and have auditing know-how and soft skills on approaching lab personnel.

    If you are asking if you need both lead and other auditors, then again, this is not a mandatory reuirement. In a large laboratory there may be teams of internal auditors and then it makes sense to have a lead of the audit team. This person typically plans the audit with the Quality Manager as per the programme (schedule) and ensures that the team has suitable resources (such as the correct checklists and audit scope). It does not necessarily mean that they perform the management audit components as performed by a lead assessor of an accreditation body. arrangements all depend on the size of your laboratory and the competency of available personnel to perform internal audits.  In a large laboratory having lead auditors to do the management (non technical) audits is a practical arrangement for efficiency.

    The following will provide more information on Internal Audits:

    How to perform an internal audit using ISO 19011 at https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011
    ISO 17025 document template: Internal Audit Procedure at https://advisera.com/17025academy/documentation/internal-audit-procedure/
    The Five Internal Audit Procedure appendices Internal Audit Program, Internal Audit Checklist, Audit Nonconformity Report, Internal Audit Process Checklist and Internal Audit Report are available separately from the procedure link above; or included in the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/
    Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/
    Book - ISO internal audit: A plain English guide at https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • Proactively applying for GDPR compliance

    "Do we have to proactively apply for GDPR compliance by proving that we are compliant or we should make our product compliant without showing to any authority.
    In short is it enough if I follow the guidelines and make the changes or will I have to apply/show it to some authority"

     

    You must follow guidelines and regulatory requirements, implement changes to your product/organization without showing them to any Authority. However, Article 24 GDPR requires the data controller to be able to demonstrate compliance in case of controls by Supervisory Authority (the so-called principle of accountability).

    Here you can find some information about how to implement EU GDPR
    9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
    A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
    If you need to understand how to implement EU GDPR in your organization, you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

  • ISO 9001 Video work instruction

    Great move! Video is a powerful tool as instruction, as a procedure.

    According to my experience, be sure to:

    • approve videos by someone with authority, before uploading them
    • clearly identify the version of the video (sooner or later you will need to review and update the video, better do it at the start to give an early warning to viewers about what they are about to see)
    • provide access to the video to those that need of its content
    • have a system that confirms that people saw the video and understand it
    • have a system in place to warn and record that people saw a future new version
       

  • How to be on top of OH&S

    The best way to keep on top of the OH&S performance of the OHSMS is to develop some Key Performance Indicators that you can track to show how the organization is doing for OH&S performance. These indicators may start with “number of accidents” which you can then improve, but organizations that are working towards more prevention may look closer at “close calls” (incidents that could have cause injury but did not) and try to reduce these incidents so that in future they do not cause injury. Monitoring and measurement in the OHSMS is the key to keeping on top of what is happening.

     

    For mor on how monitoring and measurement works in the OHSMS, see the article: How to establish and evaluate key performance indicators for ISO 45001, https://advisera.com/45001academy/blog/2015/07/22/how-to-establish-and-evaluate-key-performance-indicators-for-iso-45001/

  • Comparison between ISO 27001 Documentation Toolkit and the EU GDPR & ISO 27001 Integrated Documentation Toolkit

    1) 11.1 Measurement Report in the ISO 27001 is Not Referenced as Mandatory whrereas in the integrated toolkit it is17.1 Measurement Report - Referenced as Mandatory

    First of all, sorry for this confusion.

    The Measurement Report is to be considered mandatory.

    Please note that the Measurement Report is related to ISO 27001 clauses 6.2 and 9.1, and both require documented information about security objectives (clause 6.2) and monitoring and measurement results (clause 9.1).

    2) A.16.1 Appendix 1 - Incident Log can you please advise where that is referenced in the integrated toolkit?

    In the integrated toolkit, the document to be used to log incidents is the Data Breach Register, located in folder 14 Security Controls >> 14.A.16 Incident Management and Data Breaches

    3) Can you please advise where the below are included in the ISO-27001 toolkit

    14.A.13.1
    Includes Annex 1 – Standard Contractual Clauses for the Transfer of Personal Data to Controllers applicable to ISO-27001
    14.A.13.2
    Includes Annex 2 – Standard Contractual Clauses for the Transfer of Personal Data to Processors applicable to ISO-27001

    The requirements regarding privacy applicable only for ISO 27001 are covered in the Information Transfer Policy, located in folder 08 Annex A Security Controls >> A.13 Communications Security

  • Interviewing an auditee

    “A) say notes will be taken of their response as evidence that they are doing their job.

    Answer:

    Saying that “notes will be taken of their response ”is a good approach, you are warning them, but it is better to justify that you have a report to write and you don’t trust your memory, you have to write your notes


    B) establish a good rapport with the auditee: as short questions and listen.

    Answer:

    Establishing a good rapport with the auditee is a good approach. Present yourself, put people at ease, some may have never been audited and they may be scared. Explain why you are doing the audit. Ask them things about what they are doing, rephrase their answers when you want to check you really understood their answer.

    C) put the auditee at ease and encourage them to mark out existing nonconformities."

    Answer:

    No, “encourage them to mark out existing nonconformities” that is not a good approach. You know the audit criteria, interview people, observe actions, check documents and records. If you think you found nonconformities state them, to allow any clarification.

    The following material will provide you information about audits:

  • Can ISO 27001 and certification body be from any country?

    From a certification point of view, provided the certification body is accredited, it can be from any country, not only the one from the on of the company to be certified.

    However, you also need to check if you have local laws/regulations, or customer contracts, about the country of origin of the certification body.

    If you have no legal or contractual limitations, you can get ISO 27001 certified by a certification body from any country.

    These materials will provide you a further explanation about selecting a certification body:

  • Increasing the Scope of the ISO27001

    To extend the ISMS scope you have to perform all the steps as if you were implementing the ISMS for the first time, on a scale equivalent to the size of this extension.

    While you will have less effort related to common requirements such as document and record control, internal audit and management review, the effort for the risk assessment and treatment will depend on how similar this extension is to the current scope. If they are similar you may use existent controls and security metrics with only minor adjustments.

    In the Secure and Simple book, you should take a look at chapter 5 - FIRST STEPS IN THE PROJECT, which explains how to develop the ISMS scope.

    These articles will provide you a further explanation about implementing ISO 27001 (the concepts are the same for scope extension):

    This material will also help you regarding implementing ISO 27001:
Page 129-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +