Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 9001 Lead implementer and Lead auditor course differences

    Each course has a very different purpose. The 9001:2015 Lead Implementer Course is for the main person in charge of implementing a quality management system. Normally, it is chosen by someone that wants to become a consultant and/or improve consultant skills. The 9001:2015 Lead Auditor Course is for a person with some experience as internal auditor and wanting to work for a certification body as an auditor or for a consultant wanting to know how certification auditors work. Please check this article with more detailed information - How to choose the most appropriate training - https://advisera.com/training/compare/

  • Distance between people in calibration lab

    There is no specification in ISO 17025 regarding the distance between people or activities. Each laboratory must determine what facilities are required based on risk and context – regulatory nature of the sector, what tests will be performed and what interferences (e.g electrostatical) may need to be controlled.

    For further information see the following:

    The article What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
    The Advisera ISO 17025 toolkit Facilities and Environmental Condition Procedure at https://advisera.com/17025academy/documentation/facilities-and-environmental-condition-procedure/
    A free Project Plan for ISO/IEC 17025 implementation from the ISO17025 Academy at https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation
    The ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

  • Difference between ISO EN 17025 and ISO IEC 17025

    There is no difference, although reference to ISO/ EN 17025 or ISO EN 17025 is not strictly correct. ISO standards use the numbering format: "ISO nnnnn:yyyy: Title" where the standard number is "nnnnn", year published "yyyy” and the description of the subject is the “Title”. When jointly published with the International Electrotechnical Commission (IEC), as with ISO 17025; the numbering is ISO/IEC 17025:2017

    National or regional standardization bodies may publish an equivalent version of the International Standard. An example is UNE EN ISO/IEC 17025:2017 General requirements for the competence of testing and calibration laboratories, where UNE is the legally authorised standardisation organisation in Spain. In some cases the year will be later than the ISO published year, where the year is the publication year for the regional or national standard. An example is AS ISO/IEC 17025:2018, published by Standards Australia in 2018.

  • ISO 14001 Environmental Management System

    It is up to each organization to decide what is the best approach to coordinate the Environmental Management System: a person, a group of people or by top management.

    Please check this information below with more detailed answer:

  • ISO 14001 Organization's products and their environmental aspect

    Think about the product life cycle: transport until possession by users, use by users and disposal.

    Determine the environmental aspects and impacts along that flow. For example, CO2 emissions for putting your product on the other side of the planet, energy consumption during the use of your product by users, and then what happens when your product reaches the end of its use? Disposal? Re-use? Recycling? What potential impact for the environment?

    Please check this information below with more detailed answer:

  • Questions on security incident and clause 4

    1. A question came up in our review of Security incident management, we have the following stated in our policy, should we say “must report” or should report?  Is this a legal issue, obviously this policy we would share with our customers and third parties, right? 

    Each employee, supplier or other third party who is in contact with information and/or systems of Levi, Ray & Shoup, Inc. or their customers must report any system weakness, incident or event which could lead to a possible incident.

    In the ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non-mandatory requirements/documents are related to the words “may” or “should”.

    Considering that, the proper wording is “must report” because by using "should report" the person is not obliged to do so.

    Sharing this policy is a legal issue only if you have a law, regulation, or contract, demanding this policy to be shared. If there is no such requirement, you have two options: share the whole policy or only the specifics related to customers and third parties.

    2. It looks like clause 4 is missing from the packet of templates you sent, there is no 04 documents, this is strange. Our external auditors are referencing clause 4 in a finding but I really don’t see anything in the iso document itself on this.

    Please note that for clause 4 from ISO 27001 the single required document is the ISMS scope, which is located on folder 03 ISMS Scope Document. ISO 27001 does not require documenting the context of the organization, so in our understanding, considering the provided information, this issue is at most an opportunity for improvement, not a non-conformity.

    Documenting the context of the organization is especially not recommended for smaller organizations - you only need to take into the context of the organization when defining the scope and doing the risk assessment, so that's why we do not include a document about the organizational context in the toolkit.

    You should contact your auditor to better understand his/her point of view about the added value of explicitly defining the organizational context, so you can evaluate if this is worthy for your organization.

  • Questions about ISO 27001 implementation

    1. I already read ISO 27001 standard but I've not purchased it yet. We're ready to purchase the document, but I see it also refers to ISO 27000, 27002, 27003, 27004, 27005 and 31000. Do we need to purchase all those documents to pursue certification?

    There is no need to purchase any additional standard for certification purposes (only ISO 27001 is sufficient). The comments included in the templates already cover the most common guidance provided by the mentioned standards.

    2. We have defined the following objectives for the ISMS:
    - Create a better market image which will let it acquire or retain security-conscious clients, at least 4 during next year
    - Ensure service uptime of 99.95% throughout the year
    - In case of disaster, data loss of a maximum of 24 hours, with time to recovery of 6 hours
    - Conformity with data privacy and security regulations
    - Reduce the damage caused by potential incidents
    - Ensure the confidentiality of the customer data handled by the company

    As you can see, some are measurable but some are not. Is there an obligation to make those measurable? What happens if the objectives are not achieved?

    ISO 27001 requires objectives to be measurable only if practicable (i.e., when the effort to perform the measurement is worthy).

    If an objective is not achieved the organization must analyze the impacts of not achievement, the causes, and define adjustments if needed. This may occur at any time or during as part of the management review.

    For further information, see:

    3. When preparing the Risk Assessment, some of the risks are under the domain of a supplier. For example, our servers are hosted on a data center and we have a supplier that sub-contracts and manages the servers. How is the appropriate way to document those risks? I'm guessing we still have to list the risks (for example a breach in a server) and then in the Risk Treatment table we'll specify those risks are transferred to a third party? Or should it be instead "selection of controls", regardless of who does it, and then we would draw a contract with the supplier to apply those controls?

    The proper way to handle risks under the domain of a supplier is:

    • list the risks  in your risk assessment
    • define for the relevant risks the treatment option "transfer risk"
    • define in the set of controls to treat the risk at least one of the controls from section A.15 Supplier relationships, as needed
    • define in contract with the supplier security clauses to enforce supplier to comply with the applicable controls

    For further information, see:

    4. Our company is fully remote, our employees and contractors work at home. I guess this is an important thing to mention because it affects how the risk analysis is made (for example, there is no "office" asset, which maybe the auditor would not understand). Where is the best place to document this?

    First is important to note that at least one "office" must be identified for certification purposes (it can be the owner home or the office where he/she works).

    Considering that, the information about the company being fully remote should be mentioned either in the ISMS scope and in the risk assessment.

    This article will provide you a further explanation about the scope definition:

    This material will also help you regarding scope definition:

  • IS ISO 13485:2016 latest version?

    Yes, so far ISO 13485:2016 is the latest version. There is an explanation on the web page of the ISO organization that this standard was reviewed and confirmed in 2020, and that this version ISO 13485:2016 remains valid.

    You can see it on this link: https://www.iso.org/standard/59752.html 

    In section 1. Scope of this standard, it is stated that if any requirement from Clause 6, 7, and 8 is not applicable, the organization does not need to include that requirement in the quality management system.

    Here you can find the Checklist of ISO 13485:2016 Implementation steps: https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

    Also, you may find useful our ISO 13485:2016 documentation toolkit: https://advisera.com/13485academy/iso-13485-documentation-toolkit/

  • ISO 9001 and temporary unit closing

    If an ISO 9001 certified unit closes down temporarily, you should communicate this to the certification body. Most likely your organization’s contract with the certification body includes a clause where your organization assumes the notification of the certification body, as soon as possible, of any significant changes to the organization and/or its activities. For example, change of physical location, change of ownership, or commercial viability. I work with organizations that closed down temporarily due to pandemic, communicated that to the certification body and life went on when they started to resume operations.

  • OHSAS 18001 to ISO 45001 transition

    The timeline for transitioning from OHSAS 18001 to ISO 45001 will differ from company to company depending on size, complexity of processes, number of people doing transition and availability of resources, etc. For instance, the greater the number of people to train on the changes the longer it will take, however, many companies can transition in less than 6 months. The best way to reduce the length of time it takes is to follow a systematic process to ensure that what you already have in place is utilized to reduce the amount of work that is needed.

    You can learn more about the transition process in the whitepaper: Twelve-step transition process from OHSAS 18001 to ISO 45001, https://info.advisera.com/45001academy/free-download/twelve-step-transition-process-from-ohsas-18001-to-iso-45001
Page 340-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +