Search results

Statement of conformity

Simply stated, measurement uncertainty cannot be ignored when it comes to conformity statements reported under accreditation. During contract review a laboratory must confirm with the customer that it can meet the requirements for accuracy and are able to perform the measurements. The issue of Measurement uncertainty must be discussed and evaluated to avoid the risk of false pass (acceptance), as the uncertainty could result in the measurement reported being larger than the specification, due to the uncertainty component,

If the expanded measurement uncertainty is smaller than the accuracy requirements of the regulators or client, then the agreed decision rule could, for example, be: “PASS” indicates that the test method conforms with the accuracy requirements of the testing standard. The expanded measurement uncertainty (k = 2 ,95 %  probability) is not greater than the accuracy requirements defined as <value>. You could also refer to a table.

For more information, refer to the ILAC guideline G8:09/2019 Guidelines on Decision Rules and Statements of Conformity available for download from https://ilac.org/publications-and-resources/ilac-guidance-series/ and refer to your accreditation body requirements. A good example of a guideline from an accreditation body is the UKAS Lab 48 Decision Rules and Statements of Conformity, available from hhttps://www.ukas.com/resources/publications/laboratory-accreditation/

ISO 27017

1 - They've asked if there's any way they can be certified, considering they're already ISO 27001 certified. I've been researching the topic for a while and i've only seen this type of compliance statement being given to Cloud service providers.

Answer: First it is important to note that ISO 27017 is not a certifiable standard (some certification bodies "certify" against ISO 27017, but only during an ISO 27001 or ISO 27701 certification processes, because ISO 27001 and ISO 27701 are the only certifiable standards in the ISO 27000 series).

Considering that, to be "certified" against ISO 27017 all an organization needs to do is to include the applicable controls related to ISO 27017 in its Statement of Applicability (of course, as a result of performing the risk assessment and risk treatment process) and implement the risk treatment plan also considering the ISO 27017 controls.

These articles can provide further information:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

2 - I wanted to ask if you have seen this attestation being requested and given to any company that is only a cloud consumer.

Thank you in advance for your attention!

Answer: Please note that ISO 27017 also has controls applicable considering the point of view of the customer, so cloud consumers also can request to be “certified” as explained in the previous question.

Monitoring and Measurement / Environmental Controls

Yes, you can reduce the number of sampling sites. It is recommended that you perform validation of that process, where you will analyze all data that you have collected so far and explain why is it justified to reduce the number of sampling sites.

For more information, please see the following link:

• Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/

• ISO 9001 Organization and stakeholders context analysis

  Please, check this free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - - where you can see examples of context and interested parties analysis.

  You can find more information below:

  • How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
  • How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• Forms meet AIAG standards

  The Automotive Industry Action Group (AIAG) quality initiatives include various association standards. I cannot tell from your question which standard you are referring too. An international standard for quality management in the automotive industry, IATF 16949:2016, is for example based on ISO 9001:2015. Regarding ISO 17025, the management requirements are the same as ISO 9001:2015. Basically, the international ISO standards have a common structure and requirements for document and record control, as well as data and information management.  

  Most industry standards are used in conjunction with other ISO standards, such as ISO 9001 and ISO 17025. The specific requirements will depend on the standard and application for a testing or calibration laboratory. I suggest you contact your accreditation body and find out the specific requirements for the accreditation programme associated with the automotive industry for testing and calibration laboratories.

  For more information on IATF 16949, see the Advisera academy https://advisera.com/16949academy/

  Regarding records, see the ISO 17025 toolkit document template: Document and Record Control Procedure at https://advisera.com/17025academy/documentation/document-and-record-control-procedure/

  Also have a look at the whitepaper Clause-by-clause explanation of ISO 17025:2017, available for download from https://advisera.com/17025academy/free-downloads/

• ISMS question about scope

  Please note that the ISMS scope needs to include at least one physical location. In this case, this location can be the organization’s headquarter, or the team leader's home address.

  These articles will provide you a further explanation about scope definition:

  • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
  • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  These materials will also help you regarding scope definition:

  • How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
    Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Test Report Validity

  You asked

  "Need help in validity of any test report [from date of issue]. Is there any standard practice to be followed for considering the validity of the Test Report?

  The validity is about the results rather than the test report itself. ISO 17025 has requirements regarding the approval of results and content of the actually test report, as specified in clause 7.8 Reporting of result. This means the report must be compliant (meet requirements). The actual results (content of the test report) needs to be valid. The requirement regarding ensuring the validity of results is covered in clause 7.7; which together with the other requirements of ISO 17025 assures clients and the accreditation body of the laboratory’s competence to produce suitably reliable results – i.e. consistent, valid results.

  The standard practice is to have internal (clause 7.7.1) and external (clause 7.7.2) quality control checks. Internally this would involve, for example the use of various blanks (e.g. reagent and sample blanks), running certified reference or quality control materials with each batch of test samples or after very say 10th sample; depending on the stability of the method. External Quality Control involves participation in proficiency testing or interlaboratory comparisons to compare performance with other laboratories. This is to control the risk of a bias.

  You also asked

  “What should a certification body consider if the historical test report submitted by the client is more than 5 to 8 years?"

  The relevant issue is the test reports issued to clients by an accredited laboratory. The accreditation body, when auditing a laboratory for compliance for accreditation, would need to assess recent reports, typically not older than 3 months.

  For more information on what is required for ISO 17025, read the whitepaper Clause-by-clause explanation of ISO 17025:2017 available for download from https://advisera.com/17025academy/free-downloads/ and preview the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ which cludes the Quality Assurance Procedure.  The procedure is also available separately at https://advisera.com/17025academy/documentation/quality-assurance-procedure/

• IATF 16949 scope

  If other parts are not included in your IATF 16949: 2016 document; Not audited for IATF 16949: 2016 standard. But if you want and if your automotive customer has an expectation;  you can expand the scope and get other parts to your certificate. 

  
  For this, as you know you should inform your certification company in advance.
   

• Gaining best skills as auditor

  Every auditor should have the following skills:

  1. Good knowledge and understanding about the area that he/she audit

  2. Good communication skills, assertive, asking questions without inducement, asking open-ended questions

  3. Critical thinking – auditor must be capable to step outside of own judgments and biases in order to consider all perspectives

  4. Curiosity – to see details, to ask questions that are not maybe always logical

  All of these skills can be obtained through work on yourself or some webinars and books.

  More information regarding the internal audit for ISO 13485 you can find on the following links:

  • Five main steps in the ISO 13485:2016 internal audit https://advisera.com/13485academy/knowledgebase/five-main-steps-in-the-iso-134852016-internal-audit/
  • How to create a checklist for an ISO 13485 internal audit for your QMS https://advisera.com/13485academy/knowledgebase/how-to-create-a-checklist-for-an-iso-13485-internal-audit-for-your-qms/

  • Scope confirmation

    First it is important that scope is defined in two different places - (1) in the ISMS scope document, where the specification needs to be much longer since you need to define what is in and what is out of the scope, and (2) in the scope sentence displayed on your certificate - that scope you need to define together with your certification body.

    Further, your suggested scope focuses on 'management of information security' which does not make much sense because this would mean that you want to implement security only for your security activities, and not support your regular/business activities and information.

    To see how an ISMS scope document compliant with ISO 27001 looks like, please access the free demo of our ISMS Scope document at this link: https://advisera.com/27001academy/documentation/isms-scope-document/

    These articles will provide you a further explanation about scope definition:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    These materials will also help you regarding scope definition:
    - How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/