Search results

Early stage compliance

What do you mean by start-up? Let us consider two hypotheses:

• A - Let me use start-up to represent a new company with an established business model, like a restaurant, like a new shoe manufacturing plant, or a new transport company.
• B - Let me use start-up company as a designation for a project of company in search of a business model. Startups, in reality, are not yet companies, they are still projects of companies in search of a successful business model and customer fit. So, a startup is like an experiment being done. The startup can be called a company only after finding the right business model, a customer fit, and when it starts scaling. Only then, the procedures and internal standards are ready to be documented.

So, for situation B it is too early to certify. For situation A, I think it is easier to get ISO certification than with an established company (with same resources and motivation). An established company has to unlearn some practices and that it is not always easy.

For situation B certification makes sense only after starting to scale.

You can find more information below:

• Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• What are the benefits of ISO 9001 for your employees? - https://advisera.com/9001academy/blog/2016/06/14/what-are-the-benefits-of-iso-9001-for-your-employees/
• How to budget an ISO 9001 implementation project - https://info.advisera.com/9001academy/free-download/how-to-budget-an-iso-9001-implementation-project?utm_source=script-for-iso-9001-lead-implementer-course&utm_medium=downloaded-content&utm_content=lang-en&utm_campaign=free-downloads-9001
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Clause 8.1 Management system requirements

Clause 8.1 does not require a procedure. It specifies the need to establish a management system and document it to the extent necessary so that the laboratory can achieve the requirements of ISO 17025. This means it is more applicable to apply clause 8.1 to a policy statement. e.g. State as a policy “The laboratory is committed to establishing,  documenting and maintaining a management system to meet the general, structural, resource, process and management requirements of ISO 17025”. This is typically documented in the Quality Manual, not as a procedure. If the laboratory does not have a system already established in accordance with ISO 9001, then state that the Option A applies, where the clause 8 management requirements are addressed as part of ISO 17025. If the laboratory does have a system already established in accordance with ISO 9001, then state that the Option B applies, where the clause 8 management requirements are addressed as part of ISO 9001, including laboratory activities. This means that, for example how complaints and corrective action are handled, fall under the ISO 9001 activities and evidence can be shown of laboratory activities being included.You can link this clause 8.1 to your overall project planning to implement ISO 17025:2017.

Have a look at the ISO 17025 toolkit document templates for some more insight:  

• Quality Policy at https://advisera.com/17025academy/documentation/quality-policy/;  and
• Quality Manual at https://advisera.com/17025academy/documentation/quality-manual/
• Project Plan for ISO/IEC 17025 implementation at https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation

The following articles may be of interest :

• List of mandatory documents required by ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/08/30/list-of-mandatory-documents-required-by-iso-170252017/ 
• Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

Excluding "Design" from the ISO audit

Let us consider three situations:

a) Company does not perform design activities
b) Company performs design activities, but they are performed outside the scope of the quality management system
c) Company performs design activities, and they are performed within the scope of the quality management system and the company decides to exclude design from the certification process

Situations a) and b) are allowed, but the organization has to explain why design was excluded. These are common, pacific situations.
Situation c) is not allowed. If design is performed within the management system scope it must be included. Not including design is a major non-conformity.
The following material will provide you more information about exclusions:

• What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
• Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope -
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 - getting started in a quality department

I think that a quality department should develop three areas of expertise:

• Quality control
• Quality improvement 
• Quality development 
   

For quality control you can start with the risk-based thinking and developing a quality control plan from scratch: what to control, where, with what frequency, how, by whom, where to record, whit what specifications.

For quality improvement you start with the facts collected with quality control and customer satisfaction using tools to find trends, find priorities to improve your system.

Root cause analysis is fundamental for quality improvement and can be one of the bases for developing knowledge about how to design quality into products and services from the beginning.

The following material will provide you more information:

• Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/ Article - How to establish QMS Statistical Process
• How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
• Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 –
  https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
   

BCMS objectives

Please note that business continuity objectives depend on the organizational context and the organization's own business objectives and strategies, so it is unfeasible to provide specific inputs.

Generally speaking, you can have at least two types of objectives:

1. Strategic objectives – for your whole Business Continuity Management System, and
2. Tactical objectives – Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), Minimum Business Continuity Objectives (MBCOs), and exercising and testing objectives.

These articles will provide you a further explanation about BC objectives and organizational context (although the last article is about ISO 27001, the same concept applies to ISO 22301):

• Setting the business continuity objectives in ISO 22301https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/
• How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

This material will also help you:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

License management Auditing

Please note that ISO 27001 does not approach specifics about processes and technologies. It only defines requirements for information security management and information security objectives to be achieved.

Considering that "License management" involves the control and documentation of the software products your business uses, and where and how they are used, you should consider at least auditing these controls:

• A.8.1.1 Inventory of assets
• A.8.1.3 Acceptable use of assets
• A.12.5.1 Installation of software on operational systems
• A.12.6.2 Restrictions on software installation
• A.18.1.1 Identification of applicable legislation and contractual requirements
• A.18.1.2 Intellectual property rights

This article will provide you a further explanation about developing an audit checklist:

• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

These materials will also help you regarding performing an audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Integration of 22301 and 27001 - common policies

Considering ISO 27001 and ISO 22301, which have a lot of requirements in common, it is perfectly possible to integrate some documents. In fact, this can bring many benefits, like decreased costs in implementation, maintenance, and internal audits.

This article will provide you a further explanation about integrated implementation:

• How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

This material will provide further information:

• Free webinar – ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

This material will provide information about overlaps:

• ISO 27001 vs. ISO 22301 matrix (PDF) https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-22301-matrix

Converting from 17025:2015 to 17025:2017

Transition is primarily about meeting the changed and new requirements. As a laboratory the transition means you need to identifying any gaps in your policies, objectives, processes, procedures and records, to meet ISO 17025:2017 scope of requirements (see clause 8.1.1 and 8.2). Revising and or establishing the necessary documents is part of the process, however there is no prescribed way to number your documents.

Many laboratories that used the ISO 17025:2005 clause numbering have realigned the numbering with the new clauses. Others have not. What is important is link everything to the management system (clause 8.2.4), remove obsolete documents from use and make sure personnel have clear access to all the information necessary to comply with the new version.

Decide what will work best for your laboratory, practically, considering opportunities and risks of different ways you could go about the changes to your documentation.

The following may assist you:

• The ISO 17025 toolkit document template: Quality Manual at https://advisera.com/17025academy/documentation/quality-manual/
• The article List of mandatory documents required by ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/08/30/list-of-mandatory-documents-required-by-iso-170252017/ and
• The Whitepaper Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

Focus area on a surveillance visits

Broadly speaking, you must focus to keep the documents up to date and to make sure everyone complies with all the documents.

This approach ensures that all elements of your ISMS will be ready for the surveillance visit, regardless of the surveillance audit scope.

This article will provide you a further explanation about surveillance audit:

• Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

Can contract manufacturer exclude validation from their scope?

No, exclusion 7.3.7 Design and development validation is not possible since it is a strict requirement from the standard. They have to have documented validation plans and all other arrangments. However, this can be outsourced to some other company or laboratory, but then this should be explained as such.