Search results

Questions related to accreditation and calibration

You asked

Once you attain accreditation for a lab can you also expand the accreditation to another premises? Would the lab tests being performed in the new premises have to be re-validated etc?

Accreditation is typically per site, so in that case each site would need a separate accreditation assessment. You could obviously share QMS documentation, but records , including MV would be required for each site. Alternatively, for some programmes the new premises could be accredited under a satellite program as falling under the quality management system of an accredited head office / reference laboratory. I suggest you confirm this with the particular accreditation body – it will depend on their policies and programme on offer.

You also asked

Is it ok to write a calibration due date on a calibration cert for a device we have calibrated? Do we need to write a disclaimer saying the calibration interval is determined by the customer? I've seen this on a number of ISO17025-accredited certificates.

It is not acceptable to specify a date and then state a waiver as described. ISO 17025 specifies that the calibration laboratory cannot document any recommendation on the calibration interval, unless agreed with the customer. This means if there is evidence of agreement, you can include the date. No waiver is applicable.

And you asked

we use a subfraction of an ISO 12103-1 standard dust for calibrating our dust monitors. Does this material need to be tested (particle distribution) by an ISO 17025 accredited laboratory? we have a particle distribution from a non-accredited lab for the material. I am concerned that as we are using it as a reference material we would need to have an accredited certificate of the particle distribution.

To answer this question ISO 17025 6.5 applies, as well as the policy of your accreditation body. As an example, see TPS 57 UKAS Policy on Selection and Use of Reference Materials (Edition 4, June 2020). Yes, you are right, as a calibration lab issuing a certificate with a reported measurement uncertainty, the material should ideally be certified to achieve that assurance. For example, in the UKAS TP57 they state UKAS recommends the use of accredited reference material producers and calibration laboratories where they exist. Basically, in a testing context this requirement may be less stringent as a testing lab would need to provide assurance that the results are traceable, along with a known Measurement uncertainty. This they in fact get from the calibration lab. The context is different if you are issuing a calibration certificate. I do suggest a call to your accreditation body to confirm this, before incurring additional costs. The link to TPS 57 is availabe form https://www.ukas.com/resources/publications/laboratory-accreditation/

Does Medicine Product Class 1 need Certificate from Notified bodies according to ISO 13485?

Regarding the certification of medical devices, we must separate two things: one is the certification of the quality system according to ISO 13485: 2016, and the other is the certification of products and the issuance of the CE mark according to the MDR.

Manufacturers of Class I medical devices do not need a notifying body for product certification. So, they themselves issue the Declaration of conformity and put the "CE" mark on their medical products, but the CE mark without a number (for example, they put the CE mark on the product, and not CE2460). 

Manufacturers of Class I medical devices need to prepare a quality system in accordance with ISO 13485 and be certified according to that standard.

For more information, please see the following:

• EU MDR – Easy-to-understand basics https://advisera.com/13485academy/what-is-eu-mdr/
• How can ISO 13485 help with MDR compliance? https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/

• 22301 implementation with scope of IT department only

  Thank you, that is very informative and really helpful.

• Internal Audit Report - numbering non-conformities

  Please note that the non-conformity information that can be used for traceability in the Internal Audit Report template is the information included in the “Cross-reference to the Corrective Action Form” column, which is suggested to be a number in the comment’s template, which is sufficient to provide the necessary traceability.

  Including numbering, or other form of identification besides the one included in the Cross-reference to the Corrective Action Form, would only make the document unnecessarily complex. 

  This article will provide you a further explanation about records management:
  - Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

  These materials will also help you regarding internal audit:
  - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
  - Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

• Alternative site for operational continuity

  1. I would like to know what are the elements that should be considered when designing the layout of the alternative operational continuity site. 

  Answer: Besides the information about the general layout of the chosen alternative site (e.g., single or multiple floors, total area, etc.), the elements to be considered will depend on the results of your Business Impact Assessment (BIA), i.e., the process and services that need to be recovered, and the minimum acceptable performance levels.

  The information from BIA will give you an idea of how many personnel, furniture, and equipment you will need to have in the alternative operational continuity site, allowing you to design the layout considering the available space.

  For further information, see:
  - How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
  - Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
  - Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

  2. What type of office equipment should be installed at an alternative site for operational continuity?

  Answer: This answer also depends on the results of BIA, i.e., the process and services that need to be recovered, and the minimum acceptable performance levels.

  3. What do the good practices say regarding the layout design of the alternative site and equipment to be assembled?

  Answer: Considering ISO 22301, the leading ISO standard for business continuity, there are no prescriptions about layout design of the alternative site and equipment to be assembled (the standard prescribes the performing of BIA to identify such information).

  To provide a more detailed answer we would need information about which processes and services would be involved.

  As a starting point, you can consider your current layout, adapting it considering the number of personnel required in the continuity site (e.g., if you need only half the personnel in the continuity site, use as a basis half the layout occupied by all personnel).

  This article will provide you a further explanation about ISO 22301:
  - What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/

  This material will also help you regarding ISO 22301:
  - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

• Risk assessment

  Please note that the results of risk assessment are only one of the justifications for control implementation. Controls also can be identified as needed if:
  - there are legal requirements (e.g., laws, regulations, or contracts) demanding the implementation of a control;
  - there is a top management decision to implement a control (e.g., because top management considers the control as a good practice)

  Considering that, you can implement a control even though it is not related to any relevant risk.

  This article will provide you a further explanation about controls selection:
  - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
  - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  These materials will also help you regarding controls selection:
  - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• BCP Plans and procedures

  By the phases you mentioned, I´m assuming you are looking for documents for a Business Continuity Management System.

  Considering that, to see how a BCP and related procedures compliant with ISO 22301 looks like, I suggest you take a look at these template demos:
  - Business Continuity Plan https://advisera.com/27001academy/documentation/business-continuity-plan/
  - Incident Response Plan https://advisera.com/27001academy/documentation/incident-response-plan/
  - Transportation Plan https://advisera.com/27001academy/documentation/transportation-plan/
  - Disaster Recovery Plan https://advisera.com/27001academy/documentation/disaster-recovery-plan/
  - Activity Recovery Plan https://advisera.com/27001academy/documentation/activity-recovery-plan/

  To make sure you are in the right implementation path, I suggest you to take a look at this article:
  - 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

  To see how documents complaint with ISO 22301 looks like, please take a look at the free demo of our ISO 223001 documentation toolkit: https://advisera.com/27001academy/iso22301-documentation-toolkit/

  These articles will provide you a further explanation about ISO 22301 and how to develop e BCP and related procedures:
  - What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
  - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
  - How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/

  These materials will also help you regarding ISO 22301:

  - Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
  - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

• EMS, OHS, Quality and Food Safety Management System Integration

  When I have to integrate several management systems I follow the following path. First, I look for the backbone on which to build the building. Normally, it is ISO 9001. Why? Because organizations exist to serve someone in the outside world, a customer, a client, an interested party. So, based on the process approach I draw the system between clients with needs and expectations and clients served. I draw what I call the “Cristiano Ronaldo of the business” in your case would be something from going from eggs to chicks, from chicks to chickens, from chickens to portions, from orders received to orders delivered. Then I draw all the support processes (related to training, purchasing, maintenance, …)

  While serving your clients your organization interacts with the environment. What are your environmental aspects and impacts? What are the compliance obligations? Does your organization need to develop new practices that should be integrated with your working practices?

  While serving your clients what are the risks and dangers for your employees? What are the compliance obligations? Does your organization need to develop new practices that should be integrated with your working practices?

  While working in your organization people don’t wear four hats according to the mindset (quality hat, environmental hat, health and safety hat, and food safety hat). They do their job, and while doing their job they act according to the different requirements simultaneously.

  The following material will provide you information about management systems integration:

  • How to integrate ISO 45001 with ISO 9001 and ISO 14001 - https://advisera.com/45001academy/blog/2018/09/12/how-to-integrate-iso-45001-with-iso-9001-and-iso-14001/
  • How to integrate ISO 14001 and ISO 9001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
  • Free webinar – How to integrate ISO 9001:2015 and ISO 14001:2015 - https://advisera.com/9001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar-on-demand/ 

• Time-frame to be ISO 27001 compliant

  The implementation duration and costs depend on many variables (e.g., size and complexity of the scope, financial resources, and expertise available, etc.), but for very small and small-sized business generally is possible to implement ISO 27001 within 3 months.

  For more information about the time needed for the implementation, I suggest you see this article: 

  • How long does it take to implement ISO 27001/BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - you should note that the timing in this article is what is needed for companies that use our toolkit (https://advisera.com/27001academy/iso-27001-documentation-toolkit/)

  Regarding costs, what I can tell you are some cost issues you should consider:

  • Training and literature
  • External assistance
  • Technologies to be updated/implemented
  • Employee's effort and time
  • The certification process

  These materials can provide you more information:

  • How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
  • 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
  • How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/
  • ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
  • ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

• ISO 27001 Certification for Travel agency

  Please note that a travel agency works with several information of customers that need to be protected (e.g.: names and addresses, travel routes, etc.). Criminals with access to this information can use them to perpetrate crimes (house robbery, identity thief, etc.).

  Considering that, an ISO 27001 certification can be relevant for a travel agency by potentializing some benefits, such as:

  • Enhanced competitive edge
  • Reduction on losses due to security incidents
  • Reduction on fines due to legal or contractual non-compliance
  • Improvement of internal organization

  This article will provide you a further explanation about ISO 27001 benefits:

  • Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

  These materials will also help you regarding ISO 27001 benefits:

  • ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/