Search results

Is ISO 17025 needed?

You said “We need to do test that requires that they are doing under a laboratory quality management system compliant to ISO 17025 or alike standards”

I do not have the background whether you are referring to testing medical devices and if you offer contract testing or internal testing of your own medical devices. I suggest you obtain some specific information from the party requiring this, as there are regulatory requirements related to medical devices.

As an overview, ISO 9001 is a general management system not applicable to provide assurance that a laboratory is competent to perform a particular test, from a technical perspective. The ISO 9001 requirements for management are included in ISO 17025, so with your ISO 9001 system certification you can implement the additional ISO 17025 requirements to work in accordance with ISO 17025 and thereafter achieve accreditation. ISO 17025 is specifically applicable to testing and calibration. Both ISO 17025 and ISO 13485 are competency-based standards with some overlap. Typically an medical device manufacturer does not need ISO 17025 accreditation, however when it comes to testing medical devices many of the ISO 71025 practices are beneficial.

For some more information on ISO 17025 see this Q&A reply and links within: https://community.advisera.com/topic/17025-vs-13485/

Impact column in Asset Inventory

Thanks for your answer Rhand.
I don't see the benefit for us while there is also an Impact column in the risk spreadsheet.
Is this an ISO 27001 requirement? i.e., do we have to have this impact column in the inventory of asset?  

Documentation package content

The Documentation Toolkit based on ISO 27001:2022 is organized differently from version 2017 of the toolkit.

Documents based on the controls from ISO 27001:2022 Annex A are located in folder 09 Annex A Security Controls. The documents are not organized considering section 5. Organizational Controls, 6. People Controls, 7. Physical Controls and 8. Technological Controls because most documents cover controls from multiple sections and this kind of organization wouldn’t make sense.

For example:

• the template Clear Desk and Clear Screen Policy covers physical (A.7.7 - Clear desk and clear screen), and technological (A.8.1 - User endpoint devices) controls
• the template Bring Your Own Device (BYOD) Policy covers organizational (A.5.14 - Information transfer), people (A.6.7 - Remote working), and technological (A.8.1 - User endpoint devices) controls

IMS Standards

Yes, you can still use the term "Management Representative" in your documentation, even though the specific role is no longer mentioned in ISO 9001:2015. While the 2015 version of the standard does not require a designated "Quality Management Representative," it does not prohibit using the term in your organization's documentation or procedures.

The term "Management Representative can still be meaningful within the context of your organization's quality management system. It can represent the individual or individuals who are responsible for overseeing the QMS and ensuring its effectiveness

Using the term "Management Representative" can provide clarity and a clear point of contact for QMS-related matters within your organization. However, it's essential to ensure that the responsibilities and roles associated with the "Management Representative" are clearly defined in your documentation (job description, for example). This ensures that everyone understands their responsibilities and facilitates effective communication and coordination in managing the QMS.

Question about SMCA

The proper way to identify which assets (e.g., products and services) you need to consider for ensuring the continuity of your customer process is by performing a Business Continuity analysis (BIA).

The BIA will help you identify how businesses are affected by disruptive events, and from this analysis, you can identify which assets (i.e., your products and services) you need to consider for the recovery efforts. 

For further information, see:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
• How to define activities when implementing business continuity according to ISO 22301 https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/

Controlled documents

Yes, these documents should be in the title of the controlled document. The storage period should first be determined according to the customer's specific requirements.

If there is no request on this subject; you as an organization should determine the retention period.

Apart from this, these test reports should be accessible, the records should be protected against fire, wetting, etc.

Scope (locations and addresses)

For certification purposes, an organization needs to provide at least one physical address (in general, for remote work environments, where management activities are performed). Since you do not want to include the CEO’s home address you should consider an alternative location like renting a small office in a shared workspace, for example.

Identifying Controlled prints/documents

The IATF 16949 standard does not require anything different from ISO 9001 in document management. Having a stamp is not a necessary issue for both.

The important thing is that it is clear who prepares and approves the document, that the revisions are followed systematically, and that the current versions can be found in the places of use.

Your company should establish and implement the revision tracking system, but this does not necessarily mean that it will be stamped.

Register of Requirements

Please note that writing contracts requires legal expertise, and our expertise is in ISO standards and how to implement them.

In general terms, contracts can be signed between the company and its employees (e.g., employment contracts), and the company and its customers and suppliers (e.g., service agreements).

The main elements of a contract are the contract object (what is to be delivered), the identification of involved parties, and the rights and obligations of each party (contract clauses).

In terms of information security clauses, these are based on risks that require mitigation and legal requirements that need to be fulfilled.

For example, if there is a relevant risk of data loss, you may include a security clause to enforce the adoption of backup procedures to ensure copies of the information will be available. In case your company needs to be compliant with a privacy regulation like HIPAA or EU GDPR, you may include a security clause to enforce the other party to adopt practices to protect personal data and people’s privacy.

For the proper writing of information security clauses and other contract clauses, we advise you to hire a legal expert.

For further information, see:

• Who are interested parties, and how can you identify them according to ISO 27001 and ISO 22301? https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
• What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/