Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 17025 Audit requirements

    You asked

    "1. We are QC testing laboratory for lubricant oil & samples are inhouse only as we have our manufacturing plant now we are planning to get 17025 certification. I want to know what all documents are needed

    The mandatory processes and procedures apply to all laboratories implementing ISO 1705. Then depending on your scope (for example is the laboratory responsible for sampling or not), you reduce and modify what is put into place and stated in your documents. For information, see the article Checklist List of mandatory documents required by ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/08/30/list-of-mandatory-documents-required-by-iso-170252017/ and download the complimentary checklist at https://info.advisera.com/17025academy/free-download/checklist-of-mandatory-documents-required-by-iso-17025?

    You also asked

    2. Also I need guidance to make the format of scope

    The laboratory will typically add this directly or as a linked record to the quality manual. Have a look at the Q&A post Scope of accreditation at https://community.advisera.com/topic/scope-of-accreditation/

    You also asked

    3. We already have quality manual & policy as per ISO 9001 45001 & 14001. Do we need to make new for ISO 17025

    You can integrate your manuals and ISO 17025 clause 8 requirements, however, if different people are responsible for the ISO 9001, 45001, and 14001 certifications, it would be beneficial to keep a separate manual for ISO 17025. Either way, for efficiency, ensure your approach to management system requirements, such as handling complaints and Noncorformances is common.

    For more information on integrating ISO 17025 with a certified management system, see the Q&A post and links from the Q&A post Merging ISO 9001 & ISO 17025 at https://community.advisera.com/topic/merging-iso-9001-iso-17025

    You also asked

    4. Also if you can guide regarding which documents should be in hard copy format or all documents in soft format is okay

    ISO 17025 requires the laboratory to document processes to the extent necessary. The operational need will determine whether hard or soft copy documents, forms, and records are most appropriate. ISO 17025 does not specify.

  • How long and how much for emdr 2a certification of software ai as medical device?

    If I understand your question properly, the certification process from the moment you submit the technical documentation to the notify body lasts 9 or 12 months.

  • Supporting documentation for training

    As training material about ISO 27001, we suggest you the following material:

    These materials will also help you:

  • Lab exchanging anonymized samples for studies

    What you are referring to relates to the requirement of ISO 17025 clause 7.7 to ensure the validity of results. Internal quality control can include, for example, the laboratory or quality manager submitting control samples as unknown test samples. This is listed as clause 7.7.1 g, retesting of retained items. Simply ensure the samples are processed as routine samples and monitor the results against expected results. When it comes to exchanging samples externally for quality control purposes, ensure best practices are followed and the approach to statistical evaluation and performance criteria are agreed to in advance. This is listed as clause 7.7.2b,  participation in interlaboratory comparisons other than proficiency testing. In both cases, clause 7.7.3 states the requirement to analyze data and if the results are not within the pre-defined criteria, the laboratory must take corrective action.

    For more information see the response to another question at https://community.advisera.com/topic/clause-7-7-7-7-1/ and the Advisera Toolkit  Quality Assurance Procedure at https://advisera.com/17025academy/documentation/quality-assurance-procedure/

  • ISO 9001 and Gap Analysis and Internal Audit

    A) Stage 1 audit is mostly about the design of the management system. Is the system well designed? Does the system considers all the requirements in the management standard? Is the management system ready for a stage 2 audit? Nonconformities may be raised.

    Stage 2 audit is mostly about implementation. This stage usually follows a few weeks after the Stage 1 audit. The auditor will check whether your management system has really materialized in your company, or if it is only there on paper. He will check this through observation and interviewing your employees, but mainly by checking your records. So, you need to make sure you are really complying with everything you have written in your policy and procedures. If there are no major nonconformities, the certification body will issue the certificate to your company.

    You already know, from stage 1, that the system is designed according to the standard; however, now you want to know if the system is implemented, if documents are followed and mandatory records kept.

    Checklist for stage 1 is different from checklist for stage 2 because the audit purpose is different.

    B) Gap analysis and internal audit both activities play crucial roles in driving organizational improvement and ensuring the successful implementation of a management system. A gap analysis is primarily concerned with identifying gaps between an organization's current practices and the requirements of a management system, whereas an internal audit evaluates the adequacy and effectiveness of the implemented system (main difference), including compliance with standards and regulations. The checklist used in a gap analysis can be generic and have a column to report what exists already and the gaps. The checklist used with internal audits has a column to report what is actually being found and observed.

    C) When you’re planning an audit you should try to minimize the disruption brought by the audit team while carrying out the audit. You don’t want to audit a role in the morning and after lunch of the first day and in the morning of the second day. So, consider this constraint while scheduling your audit plan. I prefer identifying departments in the audit plan because is something that everybody in the organization is aware about. Not everybody knows about processes and even less about the clauses of the standard. Remember, the audit plan is a communication tool. About the matrices, I like to write them while I prepare the checklist to be aware of the kind of questions I should ask.

    You can find more information in the following documents:

    • Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/blog/2016/05/17/use-gap-analysis-iso-9001-implementation/
    • Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/

    • Processo de adequação à ISO 27001

      Em termos gerais, depois de obter suporte para seu projeto (por meio da aprovação do plano de projeto do SGSI) e da aprovação do Procedimento para Controle de Documentos e Registros, você deve considerar estas etapas:

      • definir a estrutura básica do SGSI (por exemplo, escopo, objetivos, estrutura organizacional), por meio da compreensão do contexto organizacional e dos requisitos das partes interessadas
      • desenvolvimento de avaliação de risco e metodologia de tratamento
      • realizar uma avaliação de risco e definir o plano de tratamento de risco
      • implementação de controles (por exemplo, documentação de políticas e procedimentos, aquisições, etc.)
      • treinamento e conscientização de pessoas
      • controla a operação
      • monitoramento e medição de desempenho
      • realizar uma auditoria interna
      • realizar a revisão crítica da gestão
      • abordar não-conformidades, ações corretivas e oportunidades de melhoria.

      Para ver como são os documentos em conformidade com a ISO 27001, sugiro que você dê uma olhada na demonstração gratuita de nosso kit de documentação ISO 27001 neste link: https://advisera.com/27001academy/pt-br/kit-de-ferramentas-da-documentacao-da-iso-27001/

      Este artigo fornecerá uma explicação adicional sobre a implementação do ISMS:

      Esses materiais também irão ajudá-lo com relação à implementação da ISO 27001:

    • ISO 27001 compliance process

      In general terms, after gaining support for your project (through approval of the ISMS project plan) and approval of the Document and Records Control Procedure, you should consider these steps:

      • define the basic structure of the ISMS (eg scope, objectives, organizational structure), by understanding the
      • organizational context and stakeholder requirements
      • development of risk assessment and treatment methodology
      • perform a risk assessment and define the risk treatment plan
      • implementation of controls (eg, documentation of policies and procedures, procurement, etc.)
      • people training and awareness
      • controls the operation
      • performance monitoring and measurement
      • perform an internal audit
      • carry out a critical management review
      • address nonconformities, corrective actions, and opportunities for improvement.

      To see what ISO 27001-compliant documents look like, I suggest you take a look at the free demo of our ISO 27001 documentation kit at this link: https://advisera.com/pt-br/kits-de-documentacao/

      This article will provide further explanation of ISMS implementation:

      • ISO 27001 Implementation Checklist https://advisera.com/27001academy/pt-br/knowledgebase/iso-27001-implementation-checklist/

      These materials will also help you with regard to implementing ISO 27001:

    • Questions

      1. We are a rather small start-up company with about 50 employees, manufacturing a product with both hardware and software.

      We do not have a CISO or an IT manager, just myself as the ICT lead to do all IT and Security related tasks.

      What should we put in the documentation instead of CISO?
      Or should we write somewhere that wherever it says CISO that would be the ICT lead acting as the CISO?
      Or alternatively should we only include job titles that we actually have in the company?
      I am not sure how to present this in the documentation and audit.

      Please note that, besides top management, ISO 27001 does not prescribe any specific role to perform information security-related activities, so you can use the job titles that you actually have in your company.

      For further information, see:

      2. One of our team members looking at the risk part of our ISO 27001 plan suggested we combine 06.1_Appendix_1_Risk_Assessment & 06.2_Appendix_2_Risk_Treatment because:
      1) they include a lot of the same columns.
      2) you can use filter instead of copy pasting those risks that need treatment. Copy pasting between tables is error prone.

      Does the standard require these tables to be seperate?
      Can you explain why these are separate in the toolkit?
      Any other comments will be very welcome.

      ISO 27001 does not prescribe risk assessment and risk treatment to be documented as separate documents, but we do not recommend merging the Risk assessment table and Risk treatment table. 

      This is because not all risks from the Risk assessment table need to be treated, and very often for one risk you would need several controls (i.e., several lines for the same risk, each one associated with a different control). Keeping a single table would result in an unnecessarily big and complex table to manage.

      Therefore, it is much easier to have two separate sheets for this purpose.

    • Non-Conformity in RR

      ISO 27001 does not require the impact on confidentiality, integrity, and availability to be assessed as separate values. 

      The Risk Assessment Methodology document generated through Conformio specifies that the risks related to confidentiality, integrity, and availability will be identified by listing the assets, threats, and vulnerabilities, while the same document specifies that the consequences of endangered confidentiality, integrity, and availability will be assessed by assessing the level of impact. The Risk Register implements risk assessment according to those rules. 

      Here is what ISO 27001 says: 

      • ISO 27001 clause 6.1.2 c) 1) requires “apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity, and availability for information within the scope of the information security management system”
      • ISO 27001 clause 6.1.2 d) 1) requires “assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;”

      In other words, the standard does require that risks related to confidentiality, integrity, and availability to be identified, and their consequences to be assessed but this doesn’t mean separate values for these. As a consequence, the majority of companies that go for ISO 27001 certification (I’m referring here not only to Advisera, but also to non-Advisera customers) do not use separate values for confidentiality, integrity, and availability. 
Page 23-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +