Search results

ISO 9000 and ISO 9001

ISO 9000 never changed into ISO 9001.

The first versions of ISO 9001 and ISO 9000 were published in 1987.

ISO 9000:1987 was mostly about guidance in selecting and using ISO 9001, ISO 9002, and ISO 9003. In the year 2000, ISO 9002 and ISO 9003 were removed, and ISO 9000 absorbed the quality vocabulary standard ISO 8402.

Contract Review and Operational Planning

Contract review was a language used by ISO 9001 until the year 2000 version. After contract review you have a contract signed, you know what are the client requirements. Operational planning implementation is about planning how to execute that contract. Things like:

• Who will lead this contract?
• What team will work there?
• What machines and tools will be used there?
• What materials need to be ordered to what dates?
• What quality control plan to use?
• What contract schedule to follow?
• What monitoring to follow?
• What invoice plan?

17025 Accreditation for Electronic Test Laboratory

Yes a laboratory can be accredited for electronic tests, either as a testing or calibration laboratory. This will depend on the service to be offered. I suggest you contact your accreditation body for further information on which programme will suit your scope of work. You can search for your national body ans others at https://ilac.org/ilac-membership/members-by-economy/

For more information on ISO 17025 see ISO 17025 – Main guidelines at https://advisera.com/17025academy/what-is-iso-17025/

Is a Competitor an Interested party

First, remember the purpose of determining interested parties is not to make the longest list of interested parties but to make the list of the most relevant interested parties.

Second, please check Annex A.3 from ISO 9001:2015? Last paragraph: There is no requirement in this International Standard for the organization to consider interested parties where it has decided that those parties are not relevant to its quality management system. It is for the organization to decide if a particular requirement of a relevant interested party is relevant to its quality management system.

In my opinion, I prefer to frame a particular competitor as an external issue in the organization’s context. However, I also see organizations including “competition” as an interested party. This approach becomes inconsistent when we determine competitors' requirements and expectations. The success of the quality management system does not depend on meeting their requirements and expectations. However, a particular competitor can represent a threat (negative external issue) that combined with the organization's weaknesses, and the interests of customers can result in a major risk.

You can find more information below:

• How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
• How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
• Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

AML-ISO 27001

I’m assuming that by AML you mean Anti Money Laundry.

Considering that, ISO 27001 does not require AML to be implemented, and does not prescribe specific policies for AML, but by means of risk assessment and identification of applicable legal requirements (e.g., laws, regulations, and contracts), an organization can identify controls that can be used to develop policies and procedures for AML.

For example, ISO 27001 has controls that can be used to monitor suspect/unusual activities (controls from Annex A section A.12.4 Logging and monitoring), help gather information from authorities and special interest groups (controls A.6.1.3 Contact with authorities and A.6.1.4 Contact with special interest group), and ensure proper validation of systems and technologies prior to deployment (controls A.14.1.1 Information security requirements analysis and specification A.14.2.9 System acceptance testing). 

This article will provide you a further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO27001 Lead Implementer Training

1 - I recognize that the exam for the course provided by Advisera is "accredited" by Exemplar Global but there seem to be several ISO27001 Lead Implementer qualifications provided by and accredited by various companies. Are these qualifications benchmarked against each other to ensure they are the same level of detail/difficulty?  

Unfortunately, at this moment our ISO 27001 Lead Implementer exam is not accredited, but we are in the accreditation process at this moment. As soon as this process is concluded our customers will be contacted.

Considering accredited exams, you need to check if the accredited providers are certified against ISO 17024 – which provides general requirements for bodies operating certification of persons.

Provided they fulfill this standard’s requirements, their certifications qualification levels are similar.

These articles will provide you a further explanation about ISO 27001 personnel certifications:

• What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
• Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

2 - Also, having passed the exam can you state you are an "ISO27001 Lead Implementer" or do you need to demonstrate some level of practice in the industry (in the same way as the CISSP and CISM qualifications) to an overarching body?

I’m assuming that by overarching body you mean “certification body”, or a similar organization that is responsible for issuing the certification (like ISC2 for CISSP and ISACA for CISM). 

Considering that, depending on the organization that is responsible for the exam, there may be other requirements to fulfill to be allowed to use the title "ISO27001 Lead Implementer". To know the specific detail you need to contact directly the exam provider.

For Advisera's ISO 27001 Lead Implementer Course, there are no additional requirements but attending the workshop and passing the exam.

Who to audit during Top Management audition

ISO 9000:2015 defines top management as “person or group of people who directs and controls an organization at the highest level”. Normally, auditing top management means auditing the member of the top management responsible for the quality management system (QMS). Auditing top management may mean auditing the owner of an organization, or the member of an Administration board responsible for the QMS.

• The following material will provide you information about audits:
  ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
• How to perform an ISO 9001 audit of top management without fear - https://advisera.com/9001academy/blog/2019/05/15/iso-9001-top-management-audit-how-to-perform-it-successfully/
• Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
• Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

Creating validation report

The Validation procedure for the new machine consists of the following elements: installation qualification, operational qualification, and performance qualification. The purpose of the validation is to prove that the new machine works correctly and  provide accurate and expected results. Installation qualification confirms that the exact required equipment has been received and installed, in the correct design or format in undamaged form with parts, spare parts, gauges, and other necessary elements. Operational qualification ensures that the installed equipment will function in accordance with all its operational specifications in the specified environmental conditions. Performance qualification ensures that the installed equipment consistently performs its functions in accordance with the specification corresponding to its daily/routine use.

For each validation, you need to have a validation plan and validation report. Validation report must have the following elements:

• It must identify the impact of each piece of equipment on the product
• Identifiy the risk that equipment have on the final product
• Document which SOPs are used, calibration equipment, etc.
• Have to have all criteria defined what is acceptable and what is not
• All test results that were performed during the validation process<
• Photos are always a good way of proving that you have performed something – like a photo of the screen on the equipment that reflects the conditions of the process and so on
• Criteria when the revalidation will be performed

For more information, see:

• How to establish process validation in the QMS https://advisera.com/9001academy/blog/2017/01/31/how-to-establish-process-validation-in-the-qms/

• Temperature calibrator

  As this apparatus was already in use, I assume that it was listed in the Record List_of_Laboratory_Equipment (8.1_Appendix_1). You could indicate in this record that it “removed or retired”, i.e. taken of service, by adding another column. I would use this option if you are a laboratory that has a big turnover of equipment. Otherwise just remove the entry from the record,  strikeover the text or add a comment and save an updtated revision of the record. If you already have an Equipment_Maintenance_Record (Appendix_4) for the apparatus, record in there as well, that the apparatus is out of service.

  Don’t forget if you are storing the item in the laboratory to mark it clearly as “out of service” as well. 

• Documenting processes in the ISMS

  Please note that ISO 27001 does not require "mapping" or documenting of each and every process in the Information Security Management System (ISMS) scope.

  For example, the HR process does not need to be documented, but if you decide to write it, you only need to document it in the level necessary for the people using them to perform their jobs correctly and securely.

  For example, the documentation detail level for experienced personnel will be much lesser than for novice personnel.

  These articles will provide you a further explanation about documentation development:
  - How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/
  - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
  - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/