Search results

Lead Auditor Certification

You should ask this information from the certification body with who you plan to work with because it is the certification body that plans the audits you will be included in (e.g., you may be included in three audits in sequence or one audit per month, etc.). In general, a single certification audit may last between 3 to 5 days, depending on the size and complexity of the scope.  

For further information, see:

• How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
• What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
• ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

Data Protection for clients

The data protection policy is an internal document that shows how the company deals with personal data and it is not published in contracts, so maybe you are referring to clauses on data protection in your contracts (yes, you should have) or to a data protection agreement as an annex to contracts signed with clients or suppliers (it is required if the contract involve the transfer of data between the two subject). The privacy policy on the website, usually, describes how personal data collected through the website are processed, it may involve also data processing made by the company with personal data of clients (i.e., there is an online shop).Of course, if your privacy policy on the website describes how your company processes data of clients, employees, and suppliers, you can state in your contract that data are processed according to the privacy policy available on the website (remember to insert the link).

Here you can find more information about the privacy notice.

• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
• List of mandatory documents required by EU GDPR: https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/

If you need to understand how to process personal data under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Documented Information

Normally, those documents are issued over digital support. So, to control those documents you need to control the software that issues them. That way you don’t need to show identification numbers, revision and revision date.

By the way, you use the wording “external documents” please check this article - What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/

You can find more information below:

• How to include statutory and regulatory requirements in your QMS - https://advisera.com/9001academy/blog/2017/02/14/how-to-include-statutory-and-regulatory-requirements-in-your-qms/
• Free on-line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Questions related to accreditation and calibration

You asked

Once you attain accreditation for a lab can you also expand the accreditation to another premises? Would the lab tests being performed in the new premises have to be re-validated etc?

Accreditation is typically per site, so in that case each site would need a separate accreditation assessment. You could obviously share QMS documentation, but records , including MV would be required for each site. Alternatively, for some programmes the new premises could be accredited under a satellite program as falling under the quality management system of an accredited head office / reference laboratory. I suggest you confirm this with the particular accreditation body – it will depend on their policies and programme on offer.

You also asked

Is it ok to write a calibration due date on a calibration cert for a device we have calibrated? Do we need to write a disclaimer saying the calibration interval is determined by the customer? I've seen this on a number of ISO17025-accredited certificates.

It is not acceptable to specify a date and then state a waiver as described. ISO 17025 specifies that the calibration laboratory cannot document any recommendation on the calibration interval, unless agreed with the customer. This means if there is evidence of agreement, you can include the date. No waiver is applicable.

And you asked

we use a subfraction of an ISO 12103-1 standard dust for calibrating our dust monitors. Does this material need to be tested (particle distribution) by an ISO 17025 accredited laboratory? we have a particle distribution from a non-accredited lab for the material. I am concerned that as we are using it as a reference material we would need to have an accredited certificate of the particle distribution.

To answer this question ISO 17025 6.5 applies, as well as the policy of your accreditation body. As an example, see TPS 57 UKAS Policy on Selection and Use of Reference Materials (Edition 4, June 2020). Yes, you are right, as a calibration lab issuing a certificate with a reported measurement uncertainty, the material should ideally be certified to achieve that assurance. For example, in the UKAS TP57 they state UKAS recommends the use of accredited reference material producers and calibration laboratories where they exist. Basically, in a testing context this requirement may be less stringent as a testing lab would need to provide assurance that the results are traceable, along with a known Measurement uncertainty. This they in fact get from the calibration lab. The context is different if you are issuing a calibration certificate. I do suggest a call to your accreditation body to confirm this, before incurring additional costs. The link to TPS 57 is availabe form https://www.ukas.com/resources/publications/laboratory-accreditation/

Does Medicine Product Class 1 need Certificate from Notified bodies according to ISO 13485?

Regarding the certification of medical devices, we must separate two things: one is the certification of the quality system according to ISO 13485: 2016, and the other is the certification of products and the issuance of the CE mark according to the MDR.

Manufacturers of Class I medical devices do not need a notifying body for product certification. So, they themselves issue the Declaration of conformity and put the "CE" mark on their medical products, but the CE mark without a number (for example, they put the CE mark on the product, and not CE2460). 

Manufacturers of Class I medical devices need to prepare a quality system in accordance with ISO 13485 and be certified according to that standard.

For more information, please see the following:

• EU MDR – Easy-to-understand basics https://advisera.com/13485academy/what-is-eu-mdr/
• How can ISO 13485 help with MDR compliance? https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/

• 22301 implementation with scope of IT department only

  Thank you, that is very informative and really helpful.

• Internal Audit Report - numbering non-conformities

  Please note that the non-conformity information that can be used for traceability in the Internal Audit Report template is the information included in the “Cross-reference to the Corrective Action Form” column, which is suggested to be a number in the comment’s template, which is sufficient to provide the necessary traceability.

  Including numbering, or other form of identification besides the one included in the Cross-reference to the Corrective Action Form, would only make the document unnecessarily complex. 

  This article will provide you a further explanation about records management:
  - Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

  These materials will also help you regarding internal audit:
  - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
  - Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

• Alternative site for operational continuity

  1. I would like to know what are the elements that should be considered when designing the layout of the alternative operational continuity site. 

  Answer: Besides the information about the general layout of the chosen alternative site (e.g., single or multiple floors, total area, etc.), the elements to be considered will depend on the results of your Business Impact Assessment (BIA), i.e., the process and services that need to be recovered, and the minimum acceptable performance levels.

  The information from BIA will give you an idea of how many personnel, furniture, and equipment you will need to have in the alternative operational continuity site, allowing you to design the layout considering the available space.

  For further information, see:
  - How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
  - Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
  - Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

  2. What type of office equipment should be installed at an alternative site for operational continuity?

  Answer: This answer also depends on the results of BIA, i.e., the process and services that need to be recovered, and the minimum acceptable performance levels.

  3. What do the good practices say regarding the layout design of the alternative site and equipment to be assembled?

  Answer: Considering ISO 22301, the leading ISO standard for business continuity, there are no prescriptions about layout design of the alternative site and equipment to be assembled (the standard prescribes the performing of BIA to identify such information).

  To provide a more detailed answer we would need information about which processes and services would be involved.

  As a starting point, you can consider your current layout, adapting it considering the number of personnel required in the continuity site (e.g., if you need only half the personnel in the continuity site, use as a basis half the layout occupied by all personnel).

  This article will provide you a further explanation about ISO 22301:
  - What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/

  This material will also help you regarding ISO 22301:
  - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

• Risk assessment

  Please note that the results of risk assessment are only one of the justifications for control implementation. Controls also can be identified as needed if:
  - there are legal requirements (e.g., laws, regulations, or contracts) demanding the implementation of a control;
  - there is a top management decision to implement a control (e.g., because top management considers the control as a good practice)

  Considering that, you can implement a control even though it is not related to any relevant risk.

  This article will provide you a further explanation about controls selection:
  - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
  - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  These materials will also help you regarding controls selection:
  - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• BCP Plans and procedures

  By the phases you mentioned, I´m assuming you are looking for documents for a Business Continuity Management System.

  Considering that, to see how a BCP and related procedures compliant with ISO 22301 looks like, I suggest you take a look at these template demos:
  - Business Continuity Plan https://advisera.com/27001academy/documentation/business-continuity-plan/
  - Incident Response Plan https://advisera.com/27001academy/documentation/incident-response-plan/
  - Transportation Plan https://advisera.com/27001academy/documentation/transportation-plan/
  - Disaster Recovery Plan https://advisera.com/27001academy/documentation/disaster-recovery-plan/
  - Activity Recovery Plan https://advisera.com/27001academy/documentation/activity-recovery-plan/

  To make sure you are in the right implementation path, I suggest you to take a look at this article:
  - 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

  To see how documents complaint with ISO 22301 looks like, please take a look at the free demo of our ISO 223001 documentation toolkit: https://advisera.com/27001academy/iso22301-documentation-toolkit/

  These articles will provide you a further explanation about ISO 22301 and how to develop e BCP and related procedures:
  - What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
  - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
  - How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/

  These materials will also help you regarding ISO 22301:

  - Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
  - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/