Search results

ISO for forensic sciences labs

Forensic chemical testing, including toxicology (for example ethanol in blood or a toxic substances in urine), would be accredited to the ISO 17025 standard for testing laboratories; under a Forensic accreditation program. Note that countries may also have specific requirements for Legal forensics testing, besides ISO 17025.

ISO 15189 Medical laboratories - Requirements for quality and competence is the international standard for medical laboratories. i.e. if the testing is a human medical pathology test, for example blood chemistry or microbiology, then ISO 17025 is typically not applicable. It is worth noting that ISO 15189 was developed based on ISO 9001 and ISO 17025. The requirements are similar, in the context of the type of testing and medical diagnostic risk. I suggest you look at the requirements of the accreditation programme provided by your accreditation body.

For more information to meet ISO 17025 requirements, see the complimentary white paper (PDF) Clause-by-clause explanation of ISO 17025:2017 available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ and the ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

ISO 27001: DevOps toolchains

Please note that legal operational responsibility may be only one of the requirements that you need to fulfill. To make your change management process legally secure you need to identify all legal requirements (e.g., laws, regulations, and contracts) that you must fulfill. For example, you may have a legal requirement demanding the use of a specific change approach, or technology.

In this case, the recommendation is to hire a local legal expert advisor to help you identify the requirements you need to fulfill.

An online search can help at the beginning of your work (for an overview), but local expert advice is highly recommended.

This article can provide a start: https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

But please note that the list in this article is not fully up-to-date because it depends on voluntary contributions from our readers – therefore, it is likely that not all regulations for each country are listed (some even may have been withdrawn).

This article will provide you a further explanation about the identification of requirements:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

BCP/DRP

Considering specifically the threat of hackers and cybersecurity, the first thing you should consider is performing a business impact analysis (BIA), to identify how business services and processes would be impacted by disruptions caused by such threats.

After identifying how business services and processes would be affected, then you can start planning your BCP/DRP, considering the most impacted services and processes. According to ISO 22301, a Business Continuity Plan must contain:

• Purpose, scope, and users
• Reference documents
• Assumptions
• Roles and responsibilities
• Key contacts
• Plan activation and deactivation
• Communication plan
• Incident response
• Physical sites and transportation
• Order of recovery for activities
• Recovery plans for activities
• Disaster recovery plan
• Required resources
• Restoring and resuming activities from temporary measures

To see how a BCP compliant with ISO 22301 looks like, please access the free demo at this link: https://advisera.com/27001academy/documentation/business-continuity-plan/

This article will provide you a further explanation about BCP content:
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

This material will also help you regarding BCP content:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- How to use ISO 22301 to continue operations during the pandemic [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-iso-22301-to-continue-operations-during-the-pandemic-free-webinar-on-demand/

FCS security governance critical success factor

ISO 27001 requires risk assessment only to identify risks, risk owners, and determine the levels of risk. Other information can be added in case an organization identifies them as relevant.

Some of the elements you mentioned (asset category, CWE, vulnerability) are related to an asset-based risk assessment, which is acceptable by the standard.

To see how a risk assessment table, based on the asset-based approach, looks like, please access the free demo of our Risk Assessment Table at this link: https://advisera.com/27001academy/documentation/risk-assessment-table/

This article will provide you a further explanation about risk assessment:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 Certification

The first step is for you to decide which path you want to follow considering security management or security assurance (i.e., security audit), and for these areas, you have the following ISO 27001 certifications you can follow:

• ISO 27001 Lead Implementer – this certification recognizes people who have competency in the ISO 27001 implementation process.
• ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISM S against ISO 27001 requirements and want to become certification auditors (and with this provides more confidence to an organization for being certified).

These articles will provide you a further explanation about ISO 27001 personnel certifications:

• What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
• What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
• Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

For courses related to these certifications, please see:

• ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
• ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

ISO 14001 EMS Internal Audit

No, an EMS manual is not a mandatory document. Please check this article - List of mandatory documents required by ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-mandatory-documents-required-by-iso-140012015/

Possible GDPR breach

The company should adopt organizational measures to prevent the unauthorized circulation of the email (is there an access control policy? Is staff trained?) It is not only about technical security measures but only adopting processes and procedures that prevent staff from disclosing sensitive information to a third party. So, in that way, the organization can be considered liable for a data breach.

Technical Manager - role, responsibilities and qualification

You asked

can the "technical" person report to myself? so ultimatley i would have responsibility for the quality and technical aspects

Yes, that is in order. As long roles, responsibilities and authorities are clear. Impartiality must be safeguarded to support policy and objectives. Competence of personnel and activities must be assured to produce valid, consistent results. This is achieved through knowing ISO 17025, customer, regulatory and accreditation requirements, knowing process risks and controlling them through standard operating procedures.

For more information on ISO 17025 requirements have a look at

The whitepaper Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025

The articles:

• How to manage competence in a laboratory according to ISO 17025 at https://advisera.com/17025academy/blog/2021/05/26/how-to-manage-competence-in-a-laboratory-according-to-iso-17025/
• How to ensure impartiality in an ISO 17025 laboratory at https://advisera.com/17025academy/blog/2020/10/12/ensuring-impartiality-in-an-iso-17025-laboratory/

Applying ISO 9001 certification to a new entity within an ISO certified company

No, you cannot use it. Your new operation in Norway is not included in the scope of the other certified systems of the company. So, you must first implement the management system and then your company can request the certification of the operation in Norway or include the Norwegian site in the scope of another certified site. In the second case, in the next recertification or surveillance audit, the Norwegian site will be included.

Organizations shall define, document, and make available the scope of the QMS, referring to the Products and Services that are provided and identifying the limits of the management system. The scope should clearly describe the type of Products and Services covered by the system and provide sufficient information, preventing the transmission of erroneous or misleading information about what the organization covers in the quality management system and what it is able to provide to its customers. It must be available because it is through the scope that the organization communicates to the relevant interested parties, namely customers and potential customers, the Products and Services it makes available, and the locations involved.

The following material will provide you information about the scope of a quality management system:

• How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
• Free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope -
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/