Search results

Help in ISO 17025 implementation

You asked

Will a reference standard be accepted that will expire in June 2023, knowing that the laboratory seeks effective application of ISO 17025?

As long as the certified reference material (CRM)  has been stored according to requirements, and it is used before expiry, you can show acceptability to use it and traceability of your results through the material's certified value.

It is however always best practice to test one lot number of a reference material against an existing material for which you have quality control data. This will provide reassurance in the certified value, particularly if you are close to the expiry date.

You also asked

if it is mentioned in the certificate of the reference material that the re-test of the material in 2024, what is the method used to re-test and verify the effectiveness and stability of the material? The test result"

The specific test depends on the material and method technique. You need to show that the certified property value/s are not significantly changed. The depth of the assessment depends on the expected influence of the CRM on the validity of the measurement and the criticality of the measurement. Use statically tools to determine if there is any significant difference in the measured property of the CRM compared to the quality control data or validation data of the same CRM when first introduced I,e before expiry.

As stability is being evaluated, and there is a possibility of breakdown components, the test must be specific and selective. Typically you will run a number of replicates of the CRM as a test sample using your normal process and quality control checks.

How do I gain 4 days of AS 9100 2nd party audits experience to be certified by Probitas for AEA?

Mark, thank you, that was helpful! I am located in CA

Internal Audit

This free webinar on-demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ can be useful to answer your question with examples.

In this webinar you will see this flowchart with the main steps regarding an internal audit process: https://i.imgur.com/KWkCg1H.png

Consider also this book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

Validation of equipment

According to requirement 7.5.6 manufacturers must validate any processes for production and service provision where the resulting output cannot be or is not verified by subsequent monitoring or measurement. Furthermore, according to requirement 6.3 Infrastructuremanufacturer must document the requirements for the infrastructure needed to achieve conformity to product requirements. This definitively is considering using validated equipment during manufacturing.  

09.04 BYOD Policy and 09.01 IT Security Policy

The BYOD Policy and the IT Security Policy were developed as separate documents to avoid making the IT Security Policy a bigger and more complex document to read and manage, but you can merge the two documents if you want to (ISO 27001 does not require policies to be written as separate documents).

For further information, see:

• One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/

Distributors role in UK MDR changes

To my knowledge, this MHRA extending the deadline does not impact the distributors since they are not responsible for placing the device on the market. So they will behave accordingly to the manufacturer's obligations.  

Questions on Training Procedure and Procedure for Infrastructure and Work Environment

1. The reason of my mail is to ask you on which document of the toolkit can I find the one that describes the trainings product?

2. On the Procedure for Infrastructure and Work Enviroment document, on section 3.5 (Monitoring and measuring environmental conditios) I wonder if this section is necessary environmental conditions nor a cleanroom to do the device, the device is not invasive and it's mostly a software with sensors to check basic vital signs using IoT.

Aligning ISO 17025 with ISO 14001, ISO 45001 and ISO 9001

The alignment of ISO QMS standards is based on the ISO harmonization using what ISO refers to as a High-Level Structure (HLS). This ensured better integration as all ISO management systems reviewed after 2012 were revised to have the same look and feel by including a set of ten common clauses. Understandably, depending on the purpose and scope of the standards, the other main clauses will differ. ISO Standards are reviewed every 5 years and either confirmed as current or revised.  ISO 17025:2017 is currently under review, however, that does not mean it will be revised, as already in 2017 the HLS was adopted. ISO 17025 was revised after ISO 9001:2015 and was aligned to ISO 9001:2015 at the time (both having the HLS). Refer to clause 8 – you will see the harmonization. For interest,  see from the ISO website that ISO 9001:2015 was last reviewed and confirmed as current in 2021; ISO 14001:2018 was last reviewed and confirmed in 2022. ISO 45001:2018 is the most recent revised standard you have mentioned.  

When integrating QMS in your organizations, you can combine activities together by referencing different clauses for different Standards and ensuring that the appropriate process is followed say for the ISO 17015 and ISO 14001 components of the integrated QMS.

For some further information have a look at my post at https://community.advisera.com/topic/laboratory-certifications-for-iso9001-and-17025/ 

ISO 27001 doubt on applicability of controls

Please note that the mentioned controls:

• 8.25 Secure development life cycle
• 8.26 Application security requirements
• 8.27 Secure system architecture and engineering principles
• 8.28 Secure coding
• 8.29 Security testing in development and acceptance 

They are intended to protect the development of any software, not just in-house software, so if your company intends to make changes to an open-source software/platform and there are relevant risks or applicable legal requirements (e.g., laws, regulations, or contracts) that justify implementing such controls, then you need to implement them.

Only in case you do not have relevant risks or applicable legal requirements or have open-source software where you do not make any changes, then you do not need to implement these controls.

For further information, see:

• How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/blog/2017/01/24/how-to-integrate-iso-27001-a-14-controls-into-the-system-software-development-life-cycle-sdlc/

Completing RTP before certification audit

You can leave some of the activities of the Risk Treatment Plan to be completed after the certification audit under the following conditions:

1. That you have implemented before the certification the controls that mitigate the biggest risks - in other words, you can leave for conclusion after the certification audit only activities related to less important controls.
2. That you have specified the deadlines for the activities related to the controls that you will be implementing after the certification in your Risk Treatment Plan - of course, those deadlines must be after the certification date.
3. That your risk owners or top management accept all the risks for which controls have not been implemented before the certification.

This means that activities related to the most important controls must have "implemented" status at the certification, while the less important controls can have the status "planned" or "partially implemented" at the moment of the certification.

This article will provide you with further explanation:

• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment