Search results

Using Excel as main Laboratory Information Management System

Indeed, Excel can be used as the primary program /tool in a Laboratory Information Management System, if it will achieve the purpose for your laboratory. In fact, the Advisera ISO 17025 toolkit provides templates as either Microsoft Word or Excel. The toolkit can serve as the core documentation for your LIMS system.

A LIMS is typically made up of a combination of noncomputerized (hardcopy records) and computerised systems. The computerised system can range from a simple system of stored scanned Pdf format records and Microsoft Word and Excel documents, forms and records; to more complex direct data transfer, processing and storage between instruments and database programmes. As long as the requirements for the LIMS are identified, scope defined (what it does) and it is tested and validated for functionality - then that is an acceptable framework. Functional validation involves test cases to provide evidence that the system does what it is meant to do. All the requirements for data and information control must be met. That includes protection, access and change control, integrity and recording system failures. Furthermore, all calculations and data transfers must be checked and safeguarded.

For more detail on what is required for ISO 17025, read the whitepaper Clause-by-clause explanation of ISO 17025:2017 available for download from https://advisera.com/17025academy/free-downloads/ and preview the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

ISO 9001 risk menagemnt

Risks can be about:

• Context and interested parties
• Products and services
• Processes 

Risks about products, services and processes can be monitored, evaluated and reported based on process performance indicators, and other indicators like customer complaints, customer satisfaction and returns. These indicators illustrate how well risks were determined, and effective actions were taken.

Risks about context and interested parties are more about trends in the external environment that can help or hinder performance. For example, in this picture from our webinar about Clause 4:

You can see how internal and external context collide with an interested party expectation to raise a risk. Management review can be used to evaluate these kinds of risks and determine actions. The effectiveness of those actions will be evaluated in the next management review meeting.

Consider also the following information:

• How to make Management Review more useful in the QMS - https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/
• How to Make Management Review More Practical - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/
• ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope -
• ISO 9001 document template: Procedure for Management Review - https://advisera.com/9001academy/documentation/procedure-management-review/
• How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Documents development

Please note that the toolkit was developed in a way that the easiest way for implementation is to approve the documents as soon as you finish developing them (you should follow the sequence of documents as they are presented in the folders in the toolkit). The references are included in a way that when you approve them in the suggested sequence, the referred documents are already approved, or have minimal impact on the document (i.e., they provide complimentary guidance).

We do not recommend you approve all of them at the same time, to not overload responsible for approvals and users with too much information (documents should be implemented with a short interval between them so people get used to information security in a controlled manner).

Question about ISMS

In fact, changes in the ISMS scope are quite a common business and your organization can perform changes in the ISMS scope at any moment during the certification period. The scope can be expanded or reduced according to the organization's needs.

A change in the ISMS scope is something expected during a certification life cycle and this situation does not make it invalid, provided that the new scope still fulfills all requirements of the standard. Considering that, after defining the new scope, you need to evaluate the impacts of the change and make proper adjustments in the ISMS (e.g., risk assessment, risk treatment, SoA, etc.).

Regarding the certification body, you need to communicate it about the change in the scope, so it can verify if any adjustment in the planned surveillance audits is necessary (e.g., if only minor adjustments in the current schedule are enough, or if additional days are required).

These articles will provide you a further explanation about the scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

This material will provide you a further explanation about the scope definition:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

Violation of personal data

It is difficult to answer this question because mostly it depends on your domestic tax law. From a GDPR point of view I can say that along with consent and Court order there is also internal law and regulation. Therefore, you should verify with a lawyer of your country the legitimacy of the tax department's behavior.

Here you can find more information on the legal basis to process personal data according to the GDPR:

• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//

ISO 14001 requirements

You need to determine the environmental aspects and impacts, you need to determine and evaluate the compliance obligations, you need to determine priorities to improve your organization’s interactions with the environment, and develop action plans.

You need to determine an environmental monitoring plan. And, of course, you have to update the scope and the context analysis, the interested parties, the policy, the objectives.

Those first two topics: environmental aspects and impacts, and compliance obligations determine the amount of work to be done on the shop floor.

For more information, see:

• List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 27001 Implementation

ISO 27001 is designed to be implemented in organizations of any size and industry, so its implementation in a scenario where the organization has only one person is perfectly feasible.

Regarding the duration of implementation, for very small business (up to 5 employees) generally is possible to implement ISO 27001 within 3 months.

For more information about the time needed for the implementation, I suggest you see this article: 

• How long does it take to implement ISO 27001/BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - you should note that the timing in this article is what is needed for companies that use our toolkit (https://advisera.com/27001academy/iso-27001-documentation-toolkit/)

These materials can provide you more information:

• ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

Statement of Applicability Validation

First is important to know which objectives you want to achieve (i.e., to which purpose you want to use ISO 27001 as a guideline).

For example, if your organization wants to be fully compliant with ISO 27001, even if you are not intending certification, then the Statement of Applicability is mandatory.

In case your intent does not involve being fully compliant with ISO 27001 (e.g., you only want to adopt some controls of the standard), then the Statement of Applicability is not mandatory, but we strongly recommend that you use it as a good practice, because the SoA can be used as the main guide to understand and provide an overview on how information security is implemented in your organization.

This article will provide you a further explanation about the Statement of Applicability:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

2nd Party Audit

If a customer-specific requirement is not defined by your customer; the training you received is enough for you to do second-party audits. 

Note: Generally German customers (Daimler, Volkswagen,..) require the VDA 6.3 process audit approach to supplier audits, therefore customer-specific requirements should be taken into account.

EU GDPR questions

The software company acts as a processor while the caregiver is the data controller. In that case, your privacy notice will state that the controller is the caregiver since it is the person that has control over data processing. You will also need a data protection agreement with caregivers annexed to your commercial licensing/software agreement.