Search results

Are employees of 17025 certified labs required to have transcripts on file?

In terms of ISO 17025 requirements, education and training records and evidence of competence are essential. Typically the diploma without a transcript will be suitable. Laboratories should, however, have recruitment criteria and minimum education requirements documented. If necessary, to verify a specific educational achievement for a particular position, a transcript would be required. This could, for example, be a result (e.g.,>70%) for a specific course; or diploma. Furthermore, depending on the sector, employees may need their transcripts to join a professional body mandated by legislation, for example, a veterinary association or professional scientists association.

To assist you, have a look at the Competence, Training and Awareness Procedure and the four related appendices, available as part of the toolkit, at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ 

See too, the article How to manage competence in a laboratory according to ISO 17025  at https://advisera.com/17025academy/blog/2021/05/26/how-to-manage-competence-in-a-laboratory-according-to-iso-17025/

IATF 16949:2016 for Application software by companies supplying to OEMs

Companies that write and develop software embedded in the vehicle; should work on software design, verification, validation, configuration verification, etc., and document the details. These issues are related to the 8.3 and sub-clauses of the IATF 16949:2016 standard.

Level of implementation in a country’s companies

You can find information about ISO certification by country in the ISO Survey, which can be accessed through this link: https://www.iso.org/the-iso-survey.html

Nivel de implementación en las empresas de un país

Puede encontrar información sobre la certificación ISO por país en la Encuesta ISO, a la que se puede acceder a través de este enlace: https://www.iso.org/the-iso-survey.html

Certification for IATF 16949 Section 8.3 (Design and Development of Products)

Since you will also design products for automotive, you are responsible for all clause 8.3 of the IATF 16949:2016 standard. There is no special list, but; you should prepare for all "shall" requirements written between 8.3-8.3.6.1 in the IATF 16949:2016 standard. 

Filling out documents in integrated toolkit

In the toolkit folder, you will find the file named "List of Documents" where you can find the reference to the EU GDPR or the ISO standard, I suggest you follow the order of the folders and fill documents with EUGDPR reference.

For example, you can begin with Folder 1 "Preparation for the project" and file 01.1 EU GDPR Readiness Assessment in order to verify what is your current status and the preparation for the project at file 01.2. The next step is folder 4 with General policies and document 04.2 Personal Data Protection Policy and keeps following the EU GDPR relevant documents.

Recurring task in Conformio

The Information Security Policy requires in section 3.3 (Secure engineering principles) that responsible person issues “procedures for secure information system engineering, both for the development of new systems and for the maintenance of the existing systems, as well as set the minimum security standards which must be complied with.” Please note that the mentioned procedures are not included in the policy but need to be developed because of it.

Considering that, the recurrent task refers to the publication of these required procedures, i.e., you only can set this task as completed when all needed procedures are published. This task is not related to the publication of the Information Security Policy itself.

Consider this example: when developing this policy, you identify you have a financial system, a production monitoring system, and a mobile app, all developed with different technologies. When the Information Security Policy is implemented, this recurrent task will remember you every 10 days after Information Security Policy implementation date that you need to publish these needed procedures.

Once these related procedures and standards are published you can mark this task as completed, and the review cycle of these documents will be performed as defined in the document control procedure (e.g., at least annually).

Question about Scope of Work

All departments included in the ISMS scope need to be involved in the risk assessment.

Regarding risk owners, you should consider the roles with the most interest and authority to treat them. For example, in case you identify risks related to a server, you should consider as the risk owner the IT manager.

These articles will provide you a further explanation about risk assessment and risk owners:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

These materials will also help you regarding risk management:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

Recovery site

1 - Do we need another recovery site?

Considering that there is a chance that another disruptive scenario can hit your organization at any moment (e.g., fire, flood, storm, etc.), and now, because Covid 19, you will not have recovery space available to fulfill your needs in case of a new disruptive event, then you should consider another recovery site if you still want to achieve continuity objectives defined pre-Covid 19.

The alternative would be to adjust continuity objectives according to your current operational capacity and situation (e.g., if your initial continuity objective was to work with 50% capacity during disruption, maybe now a possible objective would be only 25%, due to social distancing requirements).

Just for a mindset adjustment, you should keep thinking of your recovery site as a recovery site, not as a daily office, since it is being used like that only because you are in a disruptive scenario, i.e., social distancing required due to Covid 19.

2 - If we do, how do I convince management?

The direct answer is that you need to perform an assessment of your current allocation of continuity resources to identify what you can still use in case of a new disruption hits you (e.g., it is possible to allocate more people in the recovery site, up to the limit defined by social restrictions?).

With this information in hand, you can go to management and present it to them, making clear what can be achieved in terms of business continuity under the current situation and allocation of resources, so they can make an informed decision between adjusting continuity objectives to feasible ones or allocating more resources for a new recovery site.

 This article will provide you a further explanation about business continuity objectives:

• Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/