Search results

Internal auditing

It is up to the laboratory to plan the internal program and define the scope of each audit as it suits operations. They should be based on risk, meaning if there are particular activities where nonconformances have occurred or there is pressure on the laboratory (increased risk), these activities should be included. There is no mandatory way to go about your internal audits; therefore, you can combine any activities and any assessments that you deem necessary. It is important to clearly define the audit scope and requirement criteria before you start. Then, as a competent auditor, you would proceed with the audit to the depth you deem necessary, raising findings against the specific criteria and referencing the ISO 17025 clauses.

The following will provide more information for you on Auditing and ISO 17025:
The White paper (free for download) How to perform an internal audit using ISO 19011 at https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011
The article ISO 17025 technical internal audit: The basics at https://advisera.com/17025academy/blog/2020/11/10/iso-17025-technical-internal-audit-the-basics/
The ISO 17025 document template: Internal Audit Procedure at https://advisera.com/17025academy/documentation/internal-audit-procedure
The Five Internal Audit Procedure appendices Internal Audit Program, Internal Audit Checklist, Audit Nonconformity Report, Internal Audit Process Checklist, and Internal Audit Report are available separately from the procedure link above; or included in the toolkit for preview and purchase.

Question about tensile testing

No reference materials are accredited by ISO 17025. The laboratory must determine the reference material/specimen criteria for any standard methods used,  and ensure these are complied with. I cannot comment specifically on a sector requirement.

For more information, have a look at

The article: What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
The ISO 17025 toolkit document template: Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure/
The ILAC P10:07/2020 ILAC Policy on Metrological Traceability of Measurement Results  available from https://ilac.org/publications-and-resources/

4.4.1.2 Product Safety

As you know, article 4.4.1.2 of the IATF 16949:2016 standard is related to product safety. You can document their requests from subparagraph a) to subparagraph m) in the form of a procedure, an instruction, or a manual, or a process.

The important thing is that you have somehow defined it in the quality management system. 

Audit Reporting

First, I would check what your internal audit procedure recommends in these cases.

Since it is an internal audit what to do depends on internal policy, tradition or culture.

If there is enough evidence collected during the pre-audit planning it is irrelevant if it is a nonconformity or a remark, or a non-official nonconformity. You want the organization to be aware of the situation and act upon it. If it is a formal or off the record nonconformity it is irrelevant.

Difference in UK and USA ISO 13485

If the standard that you have to use is ISO 13485:2016, then there is no difference between the countries. ISO standards are international standards that are applied to all countries. 

Register of Requirements Blank

In case you do not have any legal requirements documented applicable (e.g., laws, regulations, or contracts) the Register of Requirements can be left blank. Internal security policy requirements do not need to be documented in this register, and Master Service Agreement with no specific security control agreement also does not need to be included in the Register of Requirements.

However, it would be very strange not to have any legal or regulatory requirements. For example, in most countries, privacy regulations require companies to protect personal data they process, and every company does have personal data (if nothing else, the data about their employees).

Context of the organisation and its impact on the organisation and mitigation actions

Please check this free webinar on demand - ISO 9001:2015 Clause 4 - Context of the Organization, Interested Parties, and Scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/ where I present an approach about how to implement context analysis and relate it also with the risk-based thinking. Why do you have a management system? To help your organization in achieving objectives aligned with policy (strategy). BTW, check the ISO 9000 management system definition, something like: system to establish a policy, a general orientation, translate it into objectives, tangible challenges, and then work to achieve them.

With context analysis you can think about the internal issues that you need to tackle to achieve the objectives. Let’s consider, as an example, that one of your management system objectives is to reduce complaints in 20% in the next 12 months. After performing a Pareto analysis you realize that more than 50% of all complaints are about dirty or open bags with product leaking. Your internal issues are about the internal strengths that you need to take advantage of, and about the internal weaknesses that need to be reduced or eliminated to achieve your objective.

External issues are about things that your organization cannot control. They bring uncertainty and may help or hinder your plans to achieve the objective.

You can find more information below:

• How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Human Resources Training

Hello Kristina, and where can I find this clause implemented on the toolkit? Thank you very much!

Risk assessment and treatment

The inclusion of controls in the SoA based on a compliance need (i.e., to be compliant with the Baseline Information security for the Dutch government) is acceptable for the certification process.

However, to be able to succeed in ISO 27001 certification process, you need to perform the risk assessment as well. Based on the results of the risk assessment, and based on requirements from interested parties (including the Dutch government requirements), you can define in your Statement of Applicability which controls are applicable.

Document Recovery Plan

Please note that while less frequent, disruptions caused due to failure of system-wide assets still can happen:

• 9 Mar. 2021 — A fire at a French cloud services firm has disrupted millions of websites
• 29 Sep. 2022 — Internet access down across Florida areas hit by Hurricane Ian
• 29 Sep. 2022 — The FCC said that more than half a million Floridians had lost their landline telephone, home internet, cable, or some combination, hit by Hurricane Ian.
• 26 Apr. 2023 — Google Cloud stopped operating in Paris early on Wednesday morning local time due to "water intrusion"

So, even if your area is not directly hit, a disaster that hits your provider can affect your ability to access documents in your systems.