Search results

Can aflatoxin be accredited using ELISA?

I gather from your question that your laboratory is already accredited?  Adding any test method to a scope of accreditation involves ensuring that all the ISO 17025 resource requirements (clauses 6.1 to 6.6) and process (clauses 7.1 to 7.11) are met for the particular test.

The laboratory should perform a full risk and opportunities analysis related to introducing any new test. For ELISA Assay Kits, you need to ensure that the most suitable technique (e.g. Sandwich versus Competitive ELISA) and applicable kit is used for the type of aflatoxins of interest. The laboratory must ensure that the method performance required for the purpose of the test is met. For example the test will only provide a total aflatoxin result for the aflatoxin antibodies used in a competitive ELISA test.

It crucial to use a suitable kit produced by a reputable company, with published validation an performance criteria. Then the laboratory will need, as with all tests, to validate the method inhouse before use. Remember that depending on the matrices, interferences must be addressed as ELISA test methods are not suitable for certain matrices, for example strong colour and flavours in concentrated additives.

The reply to a similar topic in the 17025 Expert Advice Community may provide some more support.
Have a look at Methods verification at https://community.advisera.com/topic/methods-verification/

The ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ can assist further. It includes the procedure for validation and verification of methods, named Test and Calibration Method Procedure, along a Test Method Development, Verification and Validation Register and Test Method Development, Verification and Validation Record. The techniques for method validation are listed as well as the required records.

It is the responsibility of the laboratory to choose the suitable technique, plan experiments, reference sector specific guidelines and meet specific regulatory and accreditation body requirements. The procedure is also available separately at https://advisera.com/17025academy/documentation/test-and-calibration-method-procedure/

IATF 16949:2016 Training

As stated in IATF 16949: 2016 standard 7.2.3 f) ‘’Maintenance of and improvement in internal auditor competence shall be demonstrated through f) executing a minimum number of audits per year, as defined by the organization ''.

The minimum number of internal audits to be performed should be determined by the organization. Performing 1 audit annually may be a risk for the knowledge and practice of internal auditors.

If such a situation is present, my advice is that you can develop the relevant internal auditor with internal training and can conduct its first audit with an experienced auditor. If you indicate these points that I recommend in your internal audit procedure, it will be effective for the system.

For more information, please read the following article:

• Requirements for competence of IATF 16949 internal auditors https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/

• Duration of ISO 14001 implementation

  According to Advisera’s experience, companies using our ISO 14001:2015 Documentation Toolkit normally take this time:

  • Companies of up to 10 employees - up to 3 months
  • Up to 50 employees - 3 to 6 months
  • Up to 200 employees - 6 to 10 months
  • More than 200 employees - 10 to 20 months 

  You can find more information below:

  • Free webinar on demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
  • List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
  • ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

• GDPR queries

  What is the prime difference between ROPA & PIA?

  I assume that for ROPA you mean Record Of Processing Activities under Article 30 GDPR and PIA as Privacy Impact Assessment which is another way to name Data Protection Impact Assessment DPIA under Article 35 GDPR.

  If so, ROPA can be seen as a consequence of PIA. PIA is crucial to apply the principle of Privacy by design in your organization. You need to evaluate the process according to the GDPR principle, assess risks, and then establish how your data processing will be carried out. ROPA, therefore, is the result of processes selected as compliant to privacy by design and other data processing principles that have been considered and assessed in PIA.

  While assessing a vendor, once I am done with the Information Risk Assessment Questionnaire, how would I be able to identify if I have to proceed with ROPA or PIA?

  PIA and ROPA are two different activities. Therefore, you need to assess risk with PIA, select the most compliant process, and then record them in ROPA.

  I have created ROPA and PIa questionnaires and added below sections; do these make sense or am I missing out on something?

  ROPAContact InformationBasic information on processing and responsibilityData CollectionPurpose and legal basis of data processingData transfers and recipientsStandard period for data erasureMeans of processingGroups with access authorization (simplified authorization concept)Technical and organizational measures (Art. 32 GDPR)Data portability

  PIABusiness / Project InformationGeneral InformationAttributes of the Data (use and accuracy)Sharing PracticesNotice to Individuals to Decline/Consent UseData sharingAccess to Data (administrative and technological controls)Privacy AnalysisRetention and Deletion

  Article 30 GDPR list the requirement of ROPA for the controller in paragraph 1 and for processors in paragraph 2. You are missing the categories of data subjects, the suitable safeguards adopted in case of transfer of data in third countries.

  Article 35 par. 7 GDPR requires for PIA at least:

• a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
• an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
• the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

In your questionnaire, it seems that the assessment part and evaluation of risk are missing unless the title of section includes it. Remember to identify the data subjects and evaluate the risk of freedom and their rights.

Here you can find more information:

• ART 30 GDPR: https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/
• ART 35 GDPR: https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/
• 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

We developed some EU GDPR document template that might be helpful:

• Data Protection Impact Assessment Methodology: https://advisera.com/eugdpracademy/documentation/data-protection-impact-assessment-methodology/
• DPIA Register: https://advisera.com/eugdpracademy/documentation/dpia-register/
• Inventory of Processing Activities: https://advisera.com/eugdpracademy/documentation/inventory-of-processing-activities/

You can also consider enrolling in our free EU GDPR Foundations Course

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// 

• Doubts regarding the policy, scope ISO 27001:2013

  I would like to know how I can consider doing my company's procedures if 95% of my infrastructure is on AWS.
  For example, I wanted to think about whether AWS can share their SOA with me to learn about their goals and rationale for controls and align them with those of AWS.
  The only computers that are in the facilities are the PCs and all access via VPN to AWS.

  Regarding the ISMS scope and policies, you only need to focus on the part of the cloud infrastructure that you have direct control over (this will depend on the contracted cloud service - i.e. you would include data for SaaS, or data and application software for IaaS.).

  Examples of what needs to be done within the company are: security training and awareness, access control (defining who has the access, periodic review, etc.), etc.

  The part controlled by AWS you can handle through controls from section A.15 - Supplier relationships. In short, you need to identify the relevant risks related to the infrastructure controlled by AWS and check if the way they handle such risks is acceptable for your organization, and are properly documented in the Terms of Service. For that your understanding is correct, you can ask for the AWS SoA, so you can evaluate the applied controls, and check if they are included as security clauses in the Terms of Service. 

  You'll find a more detailed explanation here:

  • Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
  • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
  • Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

• Scope of ISO 9001 and ISO 27001 integrated management system

  Please note that neither ISO 9001 nor ISO 27001 prescribe how to elaborate documents, so organizations are free to create them as best fit their needs.

  Considering that, both approaches (separate documents or integrated into your manual) are acceptable by these standards.

  Decision criteria you may use is the effort to keeping separate documents versus the size and complexity of a single manual.

  This article will provide you a further explanation about elaborating documents:

  • 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  This material will also help you regarding document management:

  • Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• Internal audit options

  Internal audit can be performed by the organization's own employees, provided they have the competence and do not audit their own work. Or you can contract a third party to perform the audit (unfortunately, we do not provide such kind of service).

  As for to chose a third-party to perform the audit, you should consider at least these criteria

  • Experience and skills
  • Reputation
  • Understanding about your industry

  These articles will provide you a further explanation about internal audit:

  • How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
  • Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
  • 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/

  These materials will also help you regarding internal audit:

  • ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
  • Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
  • List of questions to ask your ISO 27001/ISO 22301 consultant (MS Word) https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-iso-22301-consultant

• ISMS framework

  ISO 27001 aspects on the business continuity process (section A.17 from ISO 27001 Annex A) are related to ensuring the availability of information and information systems during either crisis or disaster situations, so a full Business Continuity Plan is not mandatory for this standard, and you will only need the DRP.

  To see how a DRP compliant with ISO 27001 looks like, I suggest you take a look at the free demo of our Disaster Recovery Plan at this link: https://advisera.com/27001academy/documentation/disaster-recovery-plan/

  This article will provide you a further explanation about DRP and BCP:

  • Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

• Chance to avoid the de-certification process

  "My plant has an open but 100% resolved NC due to poor performance with GM. They are scheduled to have the special audit in September to close the NC but meanwhile, the performance with the customer has been degraded instead of improving. Due to the increased number of complaints, they will still stay Red with GM until at least January 2021.The question is:1. What is the chance to avoid the de-certification process?

  I recommend you to be in close contact with your certification company as this issue is very critical. You should improve your GM performance results without wasting time. I would like to give you some information about this topic about IATF rules.

  IATF revision 5 rules are written for decertification in item 8.1 "a"

  The start date of the decertification process shall be the date of any of the following:

  1. The certification body receives a performance complaint against the client from an IATF OEM member, its relevant IATF Oversight office, or any automotive customer of the client.

  2. The client advises the certification body of a special status condition from an IATF OEM. Notification from the client to the certification body shall occur within ten (10) calendar days from receipt of the special status condition or otherwise specified by the customer

  The IATF revision 5 rules are set out in article 8.2 as follows:

  8.2 Analysis of the situation

  The certification body shall undertake immediate analysis of the situation to determine the severity of the situation and risk to the customers of the certified client, taking into account, where applicable, IATF OEM customer-specific requirements. This analysis shall be completed within a maximum of twenty (20) calendar days from the start date of the decertification process. Where major nonconformities are raised, the analysis shall include a review of the client submitted root cause including the method used; analysis, results, and implemented correction (see section 8.1 a) and 8.1 c). When the affected site is part of a corporate audit scheme, the analysis shall include a review of the concern and its impact across all sites.

  According to the rules, since there is a problem with a performance from GM, the de-certification process has to be started. So because you received bad performance notification, the de-certification process has to be started.

  IATF Rules stated in revision 5, item 8.4 as follows:

  8.4 Verification

  The certification body shall verify the effective implementation of the identified corrective actions from the certified client within a maximum of ninety (90) calendar days from the start of the decertification process. The decision to conduct onsite verification shall be at the discretion of the certification body. The certification body shall maintain records of the justification of the decision.In situations where the decertification process has been initiated due to major nonconformities (see section 8.1 c), the certification body shall conduct onsite verification ( see section 5.11.4) and the onsite audit shall be considered a special audit (see section 7.2) and be entered in the IATF database.In situations where the decertification process has been initiated due to a special status condition from an IATF OEM (see section 8.1 band section 1 0.0), the certification body shall conduct onsite verification and the onsite audit shall be considered a special audit (see section 7.2) and be entered in the IATF database. In situations where the decertification process has been initiated due to a surveillance audit not conducted on time (see 8.1 e), the onsite audit shall be the rescheduled surveillance audit and be entered in the IATF database.In situations where the corrective actions are not effectively implemented, the audit team shall recommend the withdrawal of the certificate.

  Can we present a newer plan approved by GM and the NC be carried over and be reviewed during a future special audit? Thank you very much.

  In the special audit that will take place in September, you should present your detailed root cause analysis and corrective action plan. Even in this audit, the recovery trend, which is the result of your actions, should be seen on the GM portal. If there is no improvement trend, the additional time may be taken by the decision of GM and Certification company.

  As stated in IATF Rules revision 5, item 8.5: The certification body shall make a decision to reinstate or withdraw the certificate, which shall include a certification decision (see section 5.12) within a maximum of 110 calendar days from the start of the decertification process. In other words, within 110 calendar days, the certification company has to decide on the subject.