Search results

Role of an ISO Lead Auditor and Implementer

1. What is the role of the lead auditor and lead implementer in ISO processes?

First is important to note that ISO management system standards do not require a lead auditor and/or lead implementer to perform ISO processes, so the organizations are free to adopt these roles or not according to their needs.

Considering that, the lead implementer's role is to guide the management system implementation, from the identification of requirements to implementation of corrective actions and opportunities for improvement identified in the management review.

The role of the lead auditor is to define the audit program, perform audits, and elaborate audit reports, according to the requirements of the ISO management standard. In case there is more than one auditor involved, the lead auditor is the responsible person for the team.

For further information about these roles, see:

• What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
• What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
• Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
• Free online training ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

2. What should an organization have such persons?

Lead implementers are not normally considered for regular positions in organizations, because in most cases management systems implementation are project-related activities, with a defined date to start and finish (it is best to hire than as consultants).

On the other hand, internal audits are regular activities to be performed in a management system, and depending on the complexity of the audit program, when a single internal auditor is not enough to ensure a proper audit process, the presence of a lead auditor can bring benefits in terms or organizations and dissemination of competencies (they are qualified for training internal auditors).

For further information, see:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Warranty and Lifetime

The company where I work is not very big and activity is related with the assembly of wire harnesses for automotive.

Recently I was requested to give info for the Lifetime of the product and Warranty management to our OEM potential customer I have read of course IATF points related to this but it's still not very clear.What are obligations related to warranty management from the supplier side?

As you know, the quality responsibility of the product belongs to the manufacturer and designer throughout the product lifetime. The solution to problems related to product design belongs to the product design responsibility. The production factory is responsible for the problems related to the production quality of the product.

Complaints about the products produced by the supplier can come in 2 ways.

• Directly from the factory where it sells the product
• From vehicle service

What info I have to collect to answer about a lifetime?

Product lifetime information such as life, durability, replacement time, etc should come from the product design responsible. This information should come from the product technical drawings and/or technical specifications 

Adequacy under GDPR

Yes, you can process data to a third country that is not considered adequate under GDPR. Article 46 GDPR allows Parties to transfer data with a legal and binding agreement adopting the Standard Contractual Clauses (SCC) as implemented by the EU Commission.These SCCs are requirements that Parties agree to implement voluntarly in order to provide adequate safeguards to the transfer of data. It concerns the protection of data subjects' rights, the security of transfers, and the processing of data accordingly with the EU GDPR provisions.

Here you can find the template of Standard Contractual Clauses Annexes  (MS Word) as implemented by the EU Commission: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes

Here you can find more information about data transfers.

• 3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
• Free webinar – How to make personal data transfers to other countries compliant with GDPR https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

To have a deeper idea of the list of requirements of GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Data Protection Officer

Yes, you can appoint an internal Data Protection Officer (DPO) who should have knowledge in GDPR and data protection legislation. 

Article 38 GDPR does not prescribe the position as internal or external, the choice is left up to the controller. It is important the person appointed has the independence from the board and the professional skills to perform tasks listed in Article 39 GDPR.Our course and the final exam can demonstrate that the appointed DPO has sufficient knowledge to perform the tasks.

Here you can find more information on the role of DPO:

• The role of the DPO in light of the General Data Protection Regulation https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/
• Key roles defined in EU GDPR https://advisera.com/eugdpracademy/knowledgebase/key-roles-defined-in-eu-gdpr/
• How to hire the right DPO? https://advisera.com/eugdpracademy/blog/2018/08/27/how-to-hire-the-right-dpo/

To have a deeper idea of the list of requirements of GDPR and the role of DPO you can consider enrolling in our free online courses:

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
• EU GDPR Data Protection Officer Course https://advisera.com/training/eu-gdpr-data-protection-officer-course/

Management reviews (Option A)

Morning Tracy, thank you very much.

Risk assessment

General steps for risk assessment and treatment are:

• Risk identification (i.e., identification of elements that compose the risk, and already implemented controls)
• Risk analysis (i.e., the definition of risk value, considering any already implemented controls
• Risk evaluation (i.e., comparing the risk value to risk acceptance criteria to decide if additional treatment is required)
• Risk treatment (i.e., defining which treatment is to be applied, and its effect on the risk)

Here is an example considering a scenario where a power generator is no longer needed, and possible power failures will be covered by UPS, and the use of the asset-threat-vulnerability approach:

• Risk identification: assets would be any power dependable equipment (e.g., servers, desktops, routers, etc.), threat (power failure), vulnerability (lack of power generator), and implemented control (UPS)
• Risk analysis: without any emergency power supply, your operations will run as long as the charges of your UPSs before the normal power supply is recovered, so the risk of operational disruption will increase with time (i.e., you have to consider how long your UPSs will last and how long it will be necessary to the normal power supply to be reestablished to value the risk).
• Risk evaluation: considering your risk evaluation criteria you can decide how to treat (e.g., mitigate, transfer, accept, or avoid)
• Risk treatment: for mitigation: you may decide to keep the power supply, for transfer you can decide to operate in a facility physically maintained by a third party, or you can do nothing and absorb the impact if the risk occurs.
  Please note that this analysis is valid only for this scenario. For example, if the asset to be removed is a notebook, you must take other considerations to take into account, like the information stored in the notebook.

To see how documents for performing risk assessment and treatment compliant with ISO 27001 look like, please access the demo templates in this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

These materials will provide you afurther explanation about risk assessment and treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk assessment and treatment:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Risk assessment

When you assess the impact and the likelihood of a set of asset-threat-vulnerability for which you already have implemented controls, you have to take into account the existing controls (because they decrease the probability of your risk). In such cases, you need to include in your assessment the information about the "existing controls" (e.g., you can use a plain description of the control, without referring to ISO 27001 or ISO 27002).

For further information, see:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Setting up a Microbiology Lab and getting cannabis GMP certification

You asked

"Is it possible to get GMP certification on cannabis testing within a laboratory without having GMP certification in the Microbiology dept.

GMP is Good Manufacturing Practice (GMP) and relates to the production and control of products (and facilities) through quality standards. Typically in larger companies, the company / production facility will be GMP certified, not the quality control / testing Laboratory. This does, of course, depend  on the company structure (the company and laboratory may be the same entity).  As the company must maintain reliable testing laboratories, this means all quality aspects, including the quality control microbiology laboratory; must be GMP compliant. The laboratory  functions as an inhouse testing facility so must comply with the requirements of GMP, as relates to what it does.

You also asked

If not, then if the laboratory is ISO 17025 accredited, then presumably we will have to get GMP accreditation first for the Microlab and then for cannabis testing, or can we combine the two?

Regulations vary greatly with Cannabis products – some countries / States require testing laboratories to be ISO 17025 accredited. GMP is more commonly a compliance requirement.  Yes, you can certainly combine the GMP and ISO 17025 implementation. I would suggest you start by developing a ISO 17025 implementation / GMP compliance plan and incorporate accreditation for the laboratories as part of that plan. Identify and address all the laboratory requirements and expand and documentation and requirements to meet GMP as well.

It will depend on your customer and regulatory needs whether you apply for ISO 17025 accreditation or GMP certification first. Have a look at the following articles for further overview of ISO 17025 The Toolkit may be a suitable start .

• Six key benefits of ISO 17025 implementation at https://advisera.com/17025academy/blog/2019/10/18/six-key-benefits-of-iso-17025-implementation/
• Also have a look at the 17025 Expert Advice Community topic ISO 17025 for internal quality control laboratory at https://community.advisera.com/topic/iso-17025-for-internal-quality-control-laboratory/
• and the free demo of the ISO 17025 Documentation Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ to provide further support