Search results

Environmental sample handling

In terms of ISO 17025; Sampling (clause 7.3), Handling of Samples (clause 7.4) and Facilities and environmental conditions (clause 6.3) conditions must be met. Record keeping, including chain of custody records are crucial. The actual best practices will depend on the parameter to be tested, and your sector / regulations. All will, however, cover sampling, preservation, handling, transport and storage. The requirements for microbiological, chemical, toxicological and biological assays differ widely, and cannot unfortunately be detailed in this response. There are International and National standards available, as well as guidance from organisations such as WHO, EPA and FDA; that you can look at.

Have a look at the ISO International Classification for Standards (ICS) 13, for Environment, Health protection and Safety (https://www.iso.org/ics/13/x/) with 13.060 covering Water Quality (https://www.iso.org/ics/13.060/x/). Here, for example, you will find access to ISO 5667-3:2018 Water quality — Sampling — Part 3: Preservation and handling of water samples. For microbiology look at ISO 19458:2006 Water quality — Sampling for microbiological analysis.

For WHO, EPA and FDA guidelines, I suggest you got their websites and search, based on your specific criteria. For example https://nepis.epa.gov/Exe/ZyPDF.cgi/P1000PUE.PDF?Dockey=P1000PUE.PDF provides the latest Supplement 1to the Fifth Edition of the Manual for the Certification of Laboratories Analyzing Drinking Water.

For more information on ISO 17025 requirements for Sampling (clause 7.3), Handling of Samples (clause 7.4) and Facilities and environmental conditions (clause 6.3), see the ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

Customer specific requirements

Customer-specific requirement (CSR) is very important for the IATF 16949: 2016 standard. The standard requires customer-specific requirements (CSR) to be evaluated and adapted to the quality management system.

1. CSRs should be read, and additional expectations should be indicated in a table. The table can be in any format you want. The table should show a match with the special requirement and documents in your quality management system.

2. Special requirements contained in CSRs should be mentioned in Quality management documentation such as the relevant process, procedure, instruction, and/or quality manual.

3. Of course, the relevant process owners should be knowledgeable and trained about these special requests. For example, one special requirement of VW is to make a process according to VDA 6.3. In summary, this requirement should be shown in the table, it should be matched with your QMS document, this requirement should be input into the relevant document. You should use the VDA 6.3 format for internal audit reports and your internal auditors should be VDA 6.3 certified.

After reviewing the CSRs, it is also important to document an action plan about the issues you cannot comply with. This means that the CSR has been reviewed by the organization and there is awareness. Open actions should be completed as soon as possible.

For more information, see:

• How to satisfy customer specific requirements when implementing IATF 16949 https://advisera.com/16949academy/blog/2019/07/02/iatf-16949-customer-specific-requirements-how-to-meet-them/

• Quality objectives in relation to ISO 9001 external audit

  No, it will not be a reason for nonconformity during an external audit, unless it is something that the company does systematically. For example, in a year like 2020 with events like the coronavirus, it is natural that many objectives, depending on the context, are not attainable.

  The following material will provide you more information:

  • Article - How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
  • Article - How to write good quality objectives: https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
  • Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 -
    https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• ISO 9001 most suitable approach

  Not all clauses are applicable in every area of an organization. I recommend starting from the process map. Organizations should develop a model based on the process approach. So, for each process study what are the applicable clauses from ISO 9001:2015 and what are the applicable internal documents. Please check these two free webinars on demand:

  • The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
  • How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ (includes a slide about developing checklist questions)
     

  You can find more information below:

  • Course - Free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
  • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

• How to align current policies with ISO27001

  I'm assuming by your question that you are not considering certification, only compliance with the standard.
   
  Considering that, to align the stated policies with ISO 27001 you need to:

  • identify the processes where these policies are used.
  • identify legal requirements (e.g., laws, regulations, and contracts) that impact information security related to the identified processes.
  • perform the risk assessment process, to identify relevant information security risks related to the identified processes.
  • perform risk the risk treatment process, to identify how to treat relevant information security risks and which controls from ISO 27001 Annex A to implement.
  • Identify which controls from ISO 27001 Annex A to implement, based on identified legal requirements.
  • adjust the policies according to the identified controls.

  To see how similar policies compliant with ISO 27001 looks like, please see:  

  • Backup Policy https://advisera.com/27001academy/documentation/backup-policy/
  • Mobile Device and Teleworking Policy https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/
  • Policy on Use of Encryption https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/
  • Information Security Policy https://advisera.com/27001academy/documentation/information-security-policy/
  • Change Management Policy https://advisera.com/27001academy/documentation/change-management-policy/

  These articles will provide you further information:

  • ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
  • Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/
  • How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
  • What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
  • How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
  • How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/
  • How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

  These materials will also help you regarding risk assessment and ISO 27001 Annex A controls:

  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• ISO 45001 Lead auditor certification

  To gain certification as a lead auditor for ISO 45001, the new standard for the occupational health & safety management system, you will need to attend a lead auditor training course. These tend to be a week long course, and include a test at the end to assess your knowledge of ISO 45001 and your ability to audit the standard. These are offered by many different companies which you will need to search for in your area, but make sure that you choose a course which is accredited so that your certification will be recognized.

  You can learn more in the article: How to become an ISO 45001 lead auditor, https://advisera.com/45001academy/blog/2019/12/11/iso-45001-lead-auditor-how-to-get-certified/

• Question about Annex 6.1

  Please note that you need to define a role responsibility whenever required in the document, not once. In our templates, you can easily identify where the definition of a role responsibility is required by the use of the expression job title between brackets ([job title]). Depending on the stated action you can define different job titles as responsible.

  This approach is enough to fulfill the requirement of ISO 27001.

• Business continuity policy and objectives

  Recently ***, VP of ***, at our request, acquired the Spanish ISO 22301 Document Package (with expert support) through order No. ***. We heard about this service when we participated in a webinar taught by you recently. Thank you for the good product you have supplied us. At this moment, we are working on the Business Continuity Policy document and we want to ask you the following:

  We note that the template they propose does not contain a specific postulate or policy statement, as is the case for example in the case of ISO 9001-2015. Likewise, in the content of the title Definition of business continuity objectives, examples of these objectives are not defined or shown, but rather refers to an internal document that is not within the templates provided.

  Can you please provide us with written templates for the statement of business continuity policy and specific business continuity objectives?

  Please note that ISO 22301 does not require the definition of a statement of business continuity policy (defining one would only make the document unnecessarily more complex). The content of the Business continuity policy template covers all requirements needed for compliance with the ISO 22301 standard.
   
  Regarding the business continuity objectives, templates for them are not included in the toolkit because these depend on the specif context and business objectives of each organization, so providing generic templates applicable to all organizations would be unfeasible, and these may lead organizations on adopting objectives not aligned with their needs.
   
  General examples of business continuity objectives may be:

  • Comply with xyz law/regulation by December 31, 2017, using ISO 22301 methodology
  • Enter a new market in the next 12 months because of the ISO 22301 certificate
  • During 2021, improve our recovery time by 12 hours while not incurring new costs. 

  This article will provide you a further explanation about business continuity objectives:  

  • Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/

• ISO 9001 Documents for certification

  There is mandatory documentation and non-mandatory documentation. Mandatory documentation in ISO 9001:2015 can be recognized by the wording “maintain documented information” and “retain documented information” in the standard.

  Non-mandatory documentation is each organization’s option, according to the “extent considered necessary”, please check clause 4.4.2.

  Please check this article about mandatory documentation - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

  You can find more information about ISO 9001:2015 below:

  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/