Search results

ISO 9001 Organization and stakeholders context analysis

Please, check this free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - - where you can see examples of context and interested parties analysis.

You can find more information below:

• How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
• How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Forms meet AIAG standards

The Automotive Industry Action Group (AIAG) quality initiatives include various association standards. I cannot tell from your question which standard you are referring too. An international standard for quality management in the automotive industry, IATF 16949:2016, is for example based on ISO 9001:2015. Regarding ISO 17025, the management requirements are the same as ISO 9001:2015. Basically, the international ISO standards have a common structure and requirements for document and record control, as well as data and information management.  

Most industry standards are used in conjunction with other ISO standards, such as ISO 9001 and ISO 17025. The specific requirements will depend on the standard and application for a testing or calibration laboratory. I suggest you contact your accreditation body and find out the specific requirements for the accreditation programme associated with the automotive industry for testing and calibration laboratories.

For more information on IATF 16949, see the Advisera academy https://advisera.com/16949academy/

Regarding records, see the ISO 17025 toolkit document template: Document and Record Control Procedure at https://advisera.com/17025academy/documentation/document-and-record-control-procedure/

Also have a look at the whitepaper Clause-by-clause explanation of ISO 17025:2017, available for download from https://advisera.com/17025academy/free-downloads/

ISMS question about scope

Please note that the ISMS scope needs to include at least one physical location. In this case, this location can be the organization’s headquarter, or the team leader's home address.

These articles will provide you a further explanation about scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
  Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Test Report Validity

You asked

"Need help in validity of any test report [from date of issue]. Is there any standard practice to be followed for considering the validity of the Test Report?

The validity is about the results rather than the test report itself. ISO 17025 has requirements regarding the approval of results and content of the actually test report, as specified in clause 7.8 Reporting of result. This means the report must be compliant (meet requirements). The actual results (content of the test report) needs to be valid. The requirement regarding ensuring the validity of results is covered in clause 7.7; which together with the other requirements of ISO 17025 assures clients and the accreditation body of the laboratory’s competence to produce suitably reliable results – i.e. consistent, valid results.

The standard practice is to have internal (clause 7.7.1) and external (clause 7.7.2) quality control checks. Internally this would involve, for example the use of various blanks (e.g. reagent and sample blanks), running certified reference or quality control materials with each batch of test samples or after very say 10th sample; depending on the stability of the method. External Quality Control involves participation in proficiency testing or interlaboratory comparisons to compare performance with other laboratories. This is to control the risk of a bias.

You also asked

“What should a certification body consider if the historical test report submitted by the client is more than 5 to 8 years?"

The relevant issue is the test reports issued to clients by an accredited laboratory. The accreditation body, when auditing a laboratory for compliance for accreditation, would need to assess recent reports, typically not older than 3 months.

For more information on what is required for ISO 17025, read the whitepaper Clause-by-clause explanation of ISO 17025:2017 available for download from https://advisera.com/17025academy/free-downloads/ and preview the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ which cludes the Quality Assurance Procedure.  The procedure is also available separately at https://advisera.com/17025academy/documentation/quality-assurance-procedure/

IATF 16949 scope

If other parts are not included in your IATF 16949: 2016 document; Not audited for IATF 16949: 2016 standard. But if you want and if your automotive customer has an expectation;  you can expand the scope and get other parts to your certificate. 

For this, as you know you should inform your certification company in advance.
 

Gaining best skills as auditor

Every auditor should have the following skills:

1. Good knowledge and understanding about the area that he/she audit

2. Good communication skills, assertive, asking questions without inducement, asking open-ended questions

3. Critical thinking – auditor must be capable to step outside of own judgments and biases in order to consider all perspectives

4. Curiosity – to see details, to ask questions that are not maybe always logical

All of these skills can be obtained through work on yourself or some webinars and books.

More information regarding the internal audit for ISO 13485 you can find on the following links:

• Five main steps in the ISO 13485:2016 internal audit https://advisera.com/13485academy/knowledgebase/five-main-steps-in-the-iso-134852016-internal-audit/
• How to create a checklist for an ISO 13485 internal audit for your QMS https://advisera.com/13485academy/knowledgebase/how-to-create-a-checklist-for-an-iso-13485-internal-audit-for-your-qms/

• Scope confirmation

  First it is important that scope is defined in two different places - (1) in the ISMS scope document, where the specification needs to be much longer since you need to define what is in and what is out of the scope, and (2) in the scope sentence displayed on your certificate - that scope you need to define together with your certification body.

  Further, your suggested scope focuses on 'management of information security' which does not make much sense because this would mean that you want to implement security only for your security activities, and not support your regular/business activities and information.

  To see how an ISMS scope document compliant with ISO 27001 looks like, please access the free demo of our ISMS Scope document at this link: https://advisera.com/27001academy/documentation/isms-scope-document/

  These articles will provide you a further explanation about scope definition:
  - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
  - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  These materials will also help you regarding scope definition:
  - How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
  - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Information classification and labeling

  For this answer, I’m assuming that control A.8.2.2 - Labelling of information, is considered applicable in the Auditee’s Statement of Applicability.

  Considering that, please note that this situation needs to be considered in the context of the auditee’s procedures for labeling of information (ISO 27001 Annex A control A.8.2.2 - Labelling of information – requires procedures for information labeling to be developed and implemented).

  In case there is a documented procedure for information labeling (the control does not require related procedures to be documented), you need to check what this document defines regarding labeling of information requested for audit. If there is no documented procedure, you need to check additional evidence to understand the common practice (e.g., by interviewing other people to see if they share the same understanding regarding the labeling of information requested for audit).

  From this evaluation, you can decide if this situation is a common practice or if there is a failure to fulfill an expected behavior (i.e., a nonconformity).

  This article will provide you a further explanation about information labeling:

  • Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

  These materials will also help you regarding information labeling:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Benefits of asset-based approach

  To understand the benefits you need to see the risk assessment from the users’ point of view.

  For people that are not used to perform risk assessment, it is easier to remember an event that may affect them than a specific set of elements (i.e., asset-threat-vulnerability), so you can perform risk assessment faster, without worrying about longer training sessions, and get the most relevant events in the users’ point of view.

  This material will help you regarding risk assessment:

  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• Finding an auditor

  From your question is not clear if you are referring to an internal auditor or a certification auditor, so the answer will cover both situations.

  The “DIY with expert support” approach does not change the main points you need to consider.

  When looking for an auditor to perform an internal audit you should consider:

  • the knowledge about your industry
  • reputation
  • pricing

  We are not aware of specific jobs, boards, or professional associations of ISO 27001 internal auditors, so your best approach would be looking for them on professional social networks like LinkedIn, ISO 27001 security group on Google Groups, or organizations which issue certificates for information security professionals like ISC2 or ISACA.

  For further information, see:

  • Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
  • 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/

  When looking for an auditor to perform a certification audit you need in fact to look for a certification body, and for this, there are several factors you should take into account when selecting a certification body, please read this article:

  • How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

  The main certification bodies for ISO 27001 are:

  • BSI: https://www.bsigroup.com
  • Bureau Veritas: https://www.dnvgl.com/
  • DNV: https://www.dnvgl.com/services?ServiceTypes=136423
  • SGS: www.sgs.com/
  • TUV: www.tuv.com

  You can also find a proper certification body at this link: https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

  You can use this link to enter your profile, and we will find the certification body that best fits your needs.