Search results

Defining calibration criteria

When we perform a measurement of a variable to be measured, we are sure that there is a true value for the result. However, we recognize that we humans will never know what this true value is.

So, when we use monitoring and measuring resource to determine the value, we get a measured value of v1.

Can we trust on v1?

To obviate the problem of not knowing the true value, instead of crossing our arms, we adopt an engineering approach, we will find a measurement standard traceable to international or national measurement standards, something that serves as a reference and that can be used as an approach of the true value. For example, if we are working with a scale that gives results to the second decimal place, if we use a measurement standard weigh with five decimal places, we can admit that that measurement standard is the true value, for our practical situation.

So, when we perform a measurement we have:

How do you read this in a calibration report?

First, let’s find the deviation. The calibration laboratory performs a set of measurements with the monitoring and measuring resource within the measuring range. Something like:

We calculate the deviation, or systematic error, by calculating the absolute value of the difference between the true value and the measured value.

What is the worst-case within the measuring range? Find the highest value for the calculated deviations. For example, d5. So, for any measurement done within the measuring range, there is an associated maximum error, max-error, equal to   |d5 + uncertainty|

Now consider an example: We have a product that we put on the market. This product has a characteristic X (the mass, for example) that is promised to customers to be within the range of a specification.

They claim:

"Buy our product, we guarantee that it has a mass of 20g with a tolerance of plus or minus 2g"

Something like:

We will create a grid to assess the effect of the dimension of the measurement error on our assessment of product quality in terms of compliance with the specification. Something like:

As we approach the limits of the specification, there is an increased risk of making errors of appreciation, the so-called alpha and beta errors, accepting a bad product as being good, and rejecting a good product as being bad.

If the measurement error (max-error) increases in size, the likelihood of making these alpha and beta errors increases, as shown in the following figure:

The greater the measurement error, the greater the risk of making error alpha or error beta.

Reject a good product as bad, or accept a bad product as good.

The bigger the percentage of the tolerance interval “eaten” by the measurement error (max-error), the higher the probability of committing an alpha error or a beta error, that is, the risk of making a wrong decision.

By calling the tolerance range “2 x T” (because of ± T) and the measurement error (max-error) as ME, we can calculate the following ratio:

If R = 1; 2 x T = ME, the degree of risk in decision making, following the measurement is 100%.

If R = 2; 2 x T = 2 x ME, the degree of risk is 50%

If R = 10; 2 x T = 10 x ME, the degree of risk is 10%.

In other words: Only when the measured value falls within the blue areas of the figure below, is there a risk of making the alpha or beta error of appreciation, that is, a 25% risk.

So, we can say:

The decision criteria for establishing the maximum-error (ME) to accept a measurement instrument, following a calibration, is not metrological, it is a management criteria (we are not talking about legal metrology). What risk do we accept in our measurement assessment?

The risk will always exist, always! We have to assess its dimension, and which is the dimension from which we find it too uncomfortable.

From the above example, does our scale measure the mass of a pharmaceutically active ingredient for a recipe? Or measure the amount of flour to put in a pastry cake? What is the risk associated with each situation?

ISO 10012-1, in the Application Guide, advised (I say advised because I do not have the latest version at hand) that the R-value should be as high as possible, and that the range should be between a minimum of 3 and a maximum of 10 (more than 10 means having a measuring device that is too good, maybe too expensive).

Consider your monitoring and measurement resource and check what is the lowest tolerance allowed in a measurement made with it, and then determine your R.

You can find more information below:

• Monitoring and Measurement Equipment Control - https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Statement of Applicability

If there are changes in the SOA after certifying the company you have to:

• review the risk assessment and treatment and the list of legal requirements, and update those so you can provide the basis you need to justify the changes in the SoA
• update the SoA to reflect the new status (i.e., update the status of controls and their justifications), and have it approved by top management
• update the risk treatment plan considering these new SoA
• implement the new controls, and gather evidence that the new applicable controls are working and achieving defined objectives.

Basically, you have to perform the risk assessment and treatment again.

For further information, see:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

Regarding the external audit, when the SoA is changed you need to inform the certification body about the changes made, so it can verify if the surveillance audit needs adjustment, either in duration or in the number of required auditors, due to the change in the number of applicable controls. You need to communicate this as soon as possible.

Has my employer and union broken GDPR?

I am sorry but your case does not involve the GDPR aspect, but it involves how the Union fulfilled the obligation of providing legal assistance. You should verify with a lawyer if the Union abused somehow of powers of representation you provided to handle the case. From your question I understand that you asked for legal aid, not for legal representation, you provided your personal data, so the Union has the right to process your data. If they misrepresented you, in front of your employer it is an aspect that does not involve data processing. You should contact a lawyer to verify if the Union acted correctly.

Here you can find more information on the legal basis to process personal data according to the GDPR:

• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations: https://advisera.com/training/eu-gdpr-foundations-course//

Does acceptance by exception by the customer must always be formalised by the supplier?

Let us use ISO 9001:2015 as our guide. After a non-conformity being detected, a supplier may decide to ask for a derogation by the customer. According to ISO 9001:2015, clause 8.7 the supplier must keep records evidencing that the customer authorized the derogation. There is no requirement about what kind of record is to be used. The supplier may use its own internal NC and ask the customer to use it for evidence approval, or the supplier may annex an e-mail from the customer to evidence that approval.

You can find more information about improvement in the following links:

• How to use quality control tools to improve your QMS - https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

IT Managed Service Providers

1. Is there an ISO certification we should look at?

Please note that ISO certifications are not mandatory by themselves, although some countries have established laws and regulations that are easier to be fulfilled by adopting them, and an increased number of customers are preferring ISO-certified organizations as suppliers because they consider such organizations are more capable to help them.

Considering that, you need to evaluate your legal environment and customers’ profile to see if an ISO certification is interesting to you.

Broadly speaking, IT Managed Service Providers, should consider the following certifications:

• ISO 20000: related to the management of IT services
• ISO 27001: related to the management of information security
• ISO 9001: related to quality management

These standards share many common requirements, so you can implement them in an integrated way.

These articles will provide you a further explanation about ISO standards:

• What is ISO 27000? https://advisera.com/20000academy/what-is-iso-20000/
• What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
• What is ISO 9001? https://advisera.com/9001academy/what-is-iso-9001/

This article can provide you a customer point of view (the same general concept applies to all ISO management standards):

• Why is it important for your hosting partner to be certified against ISO 27001? https://advisera.com/27001academy/blog/2019/07/02/iso-27001-for-hosting-companies-what-are-the-main-benefits/

2. What would be involved to get certified and what sort of costs would we expect?

After the implementation of documents and controls required by the specific standard, you need to make sure that everyone in the company is complying with documents, i.e., performing all the activities prescribed there. After that, you can work on selecting your certification body.

Our toolkit can help you with the implementation: 

• ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

These articles will provide you a further explanation about the ISO 27001 implementation process:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/2011/how-to-prepare-for-an-iso-27001-internal-audit/
• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

Regarding costs, without detailed information about the certification scope it is not possible to give you a precise answer, but broadly speaking, what I can tell you is that these are some cost issues you should consider:

• Training and literature
• External assistance
• Technologies to be updated/implemented
• Employee's effort and time
• The certification process

These materials can provide you more information:

• How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
• 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/2019/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
• How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

For the duration of the implementation:

• How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - Please note that this is the timing that is needed for companies that use our toolkits.

These materials will also help you regarding ISO 27001 project:

• ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 implementation

Besides our webinars, to support your ISO 27001 implementation in Advisera you can find:

• blog posts: https://advisera.com/27001academy/blog/
• free to download templates and whitepapers: https://advisera.com/27001academy/free-downloads/
• ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
• free to enroll online training courses: https://advisera.com/training/

Regarding specialists, you may consider a specialist in the ISO 27001 standard (with our toolkit this need is reduced to a minimum) and specialists in your core processes and technologies.

These articles will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Annex A controls

Besides information about specific controls in our blog (https://advisera.com/iso-27001/), and how to apply them, these materials may also help you:

• Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Annex A controls

Além de informações sobre controles específicos em nosso blog (https://advisera.com/iso-27001/) e como aplicá-los, esses materiais também podem ajudá-lo:

• Visão geral do Anexo A da ISO 27001:2013 https://advisera.com/27001academy/pt-br/knowledgebase/visao-geral-do-anexo-a-da-iso-270012013/

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Statement of conformity

Simply stated, measurement uncertainty cannot be ignored when it comes to conformity statements reported under accreditation. During contract review a laboratory must confirm with the customer that it can meet the requirements for accuracy and are able to perform the measurements. The issue of Measurement uncertainty must be discussed and evaluated to avoid the risk of false pass (acceptance), as the uncertainty could result in the measurement reported being larger than the specification, due to the uncertainty component,

If the expanded measurement uncertainty is smaller than the accuracy requirements of the regulators or client, then the agreed decision rule could, for example, be: “PASS” indicates that the test method conforms with the accuracy requirements of the testing standard. The expanded measurement uncertainty (k = 2 ,95 %  probability) is not greater than the accuracy requirements defined as <value>. You could also refer to a table.

For more information, refer to the ILAC guideline G8:09/2019 Guidelines on Decision Rules and Statements of Conformity available for download from https://ilac.org/publications-and-resources/ilac-guidance-series/ and refer to your accreditation body requirements. A good example of a guideline from an accreditation body is the UKAS Lab 48 Decision Rules and Statements of Conformity, available from hhttps://www.ukas.com/resources/publications/laboratory-accreditation/

ISO 27017

1 - They've asked if there's any way they can be certified, considering they're already ISO 27001 certified. I've been researching the topic for a while and i've only seen this type of compliance statement being given to Cloud service providers.

Answer: First it is important to note that ISO 27017 is not a certifiable standard (some certification bodies "certify" against ISO 27017, but only during an ISO 27001 or ISO 27701 certification processes, because ISO 27001 and ISO 27701 are the only certifiable standards in the ISO 27000 series).

Considering that, to be "certified" against ISO 27017 all an organization needs to do is to include the applicable controls related to ISO 27017 in its Statement of Applicability (of course, as a result of performing the risk assessment and risk treatment process) and implement the risk treatment plan also considering the ISO 27017 controls.

These articles can provide further information:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

2 - I wanted to ask if you have seen this attestation being requested and given to any company that is only a cloud consumer.

Thank you in advance for your attention!

Answer: Please note that ISO 27017 also has controls applicable considering the point of view of the customer, so cloud consumers also can request to be “certified” as explained in the previous question.