Search results

Accreditation of 17025

You  asked

1. I would like to know if all the used samples should be a CRM samples in order to obtain the 17025 accreditation and if we could realise just one repetability reproductibility test on one sample and compare the results with a CRM sample.

Method Validation and measurement uncertainty involves investigating the effect of both systematic and random errors on the accuracy of results. This involves two components -trueness and precision. Both these are qualitative descriptions, where bias is measured to represent trueness; and a measure of spread of results, such as standard deviation to quantify precision. Precision studies include repeatability, intermediate precision and reproducibility. Typically you will use a matrix matched reference material (RM), reference method or reference value to determine any bias; while test samples or spiked sample blanks (matrix matched) are acceptable for the precision studies. Of course RMs could also be used. It is important, either way,  to represent the entire working range; menaing that low, medium and high range samples should be included.

You  also asked

2. we use a Spark Atomic Emission Spectrometry to realise the chemical analysis (zinc and aluminium), there is any criteria in the iso 17025 that obligate us to use an ASTM OR AN iso reference and if yes what should we do if our range of work is out the range mentioned if the standard."

The laboratory need not use a standard method, unless a client or the sector specify you must. As an ISO 17025 accredited laboratory you need to select suitable methods and prove through method validation and quality control; they are adequate for the purpose. The involves showing that the inhouse or non-standard method achieves the performance required- for example limit of detection, accuracy, along with suitable low-enough measurement uncertainty.  This is where Proficiency testing or interlaboratory studies can be used to evaluate how the nonstandard method performs compared to laboratories who may be using a standard method. 

For more information, see the ISO 17025 toolkit procedure Test and Calibration Method Procedure, at https://advisera.com/17025academy/documentation/test-and-calibration-method-procedure/; along with the two supporting documents Test Method Development, Verification and Validation Register and Test Method Development, Verification and Validation Record.

Offices within scope

If you have e.g. hundreds of branch offices, then you should specify only the locations of main offices in your ISMS Scope document, and refer to some other document where you list all the branches - this other document could be your internal or public list of branch offices. 

If you go for the certification, you should consult with your certification body on how to document the locations. 

Here are some materials that will help you with setting the ISMS scope: 

• article How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• article ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• free online training ISO 27001 Foundations Course

Questions for ISMS

1. What is the ideal KPI's to measure the effectiveness of ISMS in an organization?

ISO 27001 does not prescribe which performance indicators should be adopted by organizations, so there is no such thing as an ideal KPI, and organizations must define them according to their needs and objectives. Some common issues organizations should take into account when defining KPIs are:

• Business relevant: indicator aligned to clear business objectives or legal requirements
• Process integrated: a KPI should add the least amount of work possible into business processes.
• Assertive: the indicator should be capable of pinpointing relevant issues that need attention.

As general examples we have:

• Percent of business initiatives supported by the ISMS
• Number of security-related service downtimes
• Percent of controls assessment performed
• Number of improvement initiatives

These articles will provide you a further explanation about performance indicators and security objectives: 

• Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
  - ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

2. Can the internal auditor participate in the ISMS activities and take some responsibilities e.g review Policies and standards, develop and create missing documents, be an ISMS Advisor...etc

I'm assuming that by "standards" you mean "procedures".

Considering that, in case you only have one internal auditor, he should not participate in the ISMS activities and take responsibility for its implementation and operation, because this would cause a conflict of interest during the audit (an auditor should not audit his own work). In case you have more than one internal auditor available, they can perform some activities, provided that during the audit they do not audit their own work.

This article will provide you a further explanation about internal audit:

• Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Access control

Considering ISO 27001, I suggest these articles from Advisera:

• How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
• How two-factor authentication enables compliance with ISO 27001 access controls https://advisera.com/27001academy/blog/2017/01/16/how-two-factor-authentication-enables-compliance-with-iso-27001-access-controls/
• The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/
• How to protect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/

Considering other sources, I suggest:

• NIST Special Publication 800-53 (Rev. 4) - Security and Privacy Controls for Federal Information Systems and Organizations https://nvd.nist.gov/800-53/Rev4/family/Physical%20and%20Environmental%20Protection 

These materials can also help you:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Access control

Considerando a norma ISO 27001, sugiro consultar os seguintes artigos da Advisera:

• How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
• Como a autenticação por dois fatores apoia a conformidade com os controles de acesso da ISO 27001 https://advisera.com/27001academy/pt-br/blog/2017/01/17/como-a-autenticacao-por-dois-fatores-apoia-a-conformidade-com-os-controles-de-acesso-da-iso-27001/
• The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/
• Como proteger contra ameaças externas e do meio ambiente de acordo com o controle A.11.1.4 da ISO 27001 https://advisera.com/27001academy/pt-br/blog/2016/01/27/como-proteger-contra-ameacas-externas-e-do-maio-ambiente-de-acordo-com-o-controle-a-11-1-4-da-iso-27001/

Considerando outras fontes, sugiro:

• NIST Special Publication 800-53 (Rev. 4) - Security and Privacy Controls for Federal Information Systems and Organizations https://nvd.nist.gov/800-53/Rev4/family/Physical%20and%20Environmental%20Protection

Este material também pode ajudar:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Implementing ISO 27001 in a greenfield

1 - What are the key considerations when implementing an ISMF such as the ISO 27001 in a greenfield site – i.e. an organization where there are nothing in terms of security policy or practice. Would we go through the normal workflow of implementing ISO 27001 or are there deviations?

ISO 27001 was designed to be implemented in organizations of any size and industry, so the general steps are the same, including a greenfield site. In fact, in some cases, the absence of previous security policies or practices is good because it does not bring undesired behavior and minimizes resistance to change.

Broadly speaking, after getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:

• defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties;
• development of risk assessment and treatment methodology;
• perform a risk assessment and define the risk treatment plan;
• controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
• people training and awareness;
• controls operation;
• performance monitoring and measurement;
• perform an internal audit;
• perform management critical review; and
• address nonconformities, corrective actions, and opportunities for improvement.

To see how documents compliant with ISO 27001 look like, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

This article will provide you a further explanation of ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

2 - Can you suggest any additional resources I could use for greenfield implementation?

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course at this link: https://advisera.com/training/iso-27001-foundations-course/ 

Role of Top Management

Top management has an invaluable role in communicating internally the importance of the environmental management system (EMS), in promoting and in financing the EMS. ISO 14001:2015, clause 5.1, gives some help in answering to your question:

• Top management is responsible for issuing and keeping updated a strategic orientation for the EMS, translating those priorities into a set of environmental objectives
• Top management is responsible for providing resources for the EMS, has a unique role in communicating the importance of the EMS not just by words but by its agenda, by the time used in analyzing performance and asking for improvement.

Please check the following information:

• What are the responsibilities of top management in the EMS according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/01/18/what-are-the-responsibilities-of-top-management-in-the-ems-according-to-iso-140012015/
• To what extent should top management be involved in your EMS after the implementation? - https://advisera.com/14001academy/blog/2016/10/03/to-what-extent-should-top-management-be-involved-in-your-ems-after-the-implementation/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

GDPR Logo

No, GDPR doesn't have a conformity mark as CE.

You can consider enrolling in this free online training:

• EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//