Search results

How long we should retain measurement system records?

Measurement system records are technical records so the laboratory needs to comply specifcially with the requirements of ISO 17025 clauses 8.2 and 7.5.

The laboratory needs to establish what a suitable retention time is for different types of records, based on contractual and legal requirements.  The potential risk or impact to the laboratory should be evaluated if the period selected is too short, or even too long.  Consideration should be given to the medium  of the records as all requirements of ISO 17025 must be met during the retention period in terms of data confidentiality, security and integrity.  You need to considering both paper, scanned and electronic records. This also includes being able to “read” the record either with the human eye or a computer process, throughout the retention period,  i.e. format ands medium must be contemporaneous. Consider for example if there was a legal dispute over a result or report years down the line, the results would need to be traceable to legible (readable) measurement system records to verify validity of the reported results. 

It is interesting to note that most laboratories do not define the concept of archiving. By definition retention period is the period of time that records (documents) should be retained in their offices of origin or in records centres before they are transferred to an archive(s) <organization>  or otherwise disposed of  (SOURCE: ISO 5127:2017(en) Information and documentation - Foundation and vocabulary). In other wordsm to mitigate risk, a laboratory could consider keeping a particular hand written raw data record for say 6 months, then scanning it and retaining the electronic file with quick access by the laboratory say for 3 years. Thereafter it could be archived for a suitable period, before disposal. Costs need to be considered as a factor in the risk assessment too.

For further information, have a look at the ISO 17025 document template: Document and Record Control Procedure at https://advisera.com/17025academy/documentation/document-and-record-control-procedure/

For supporting information regarding actions to address risks and opportunities, see: 

• The ISO 17025 toolkit document template: Addressing Risks and Opportunities Procedure at  https://advisera.com/17025academy/documentation/addressing-risks-and-opportunities-procedure/
• The article Five-step laboratory risk management according to ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/12/05/iso-17025-risk-management-in-five-steps/
• The Free ISO17025 Academy webinar – How to manage risks in laboratories according to ISO 17025 at https://advisera.com/17025academy/webinar/iso-17025-risk-management-how-to-manage-it-free-webinar-on-demand/ 
   

Approval of documents

Yes, authorship and approval are not exclusive. The only criteria is that a chain of authority coming from top management gives someone the authority to approve a document.

The following material will provide you more information:

• ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Política ambiental en la ISO 14001

La principal diferencia entre la política de calidad de la norma ISO 9001 y la política ambiental de la norma ISO 14001 es el enfoque sistemático que ofrecen. En ISO 9001 el enfoque de la política está centrado en la calidad del producto o servicio y satisfacción del cliente, mientras que en ISO 14001 la política ambiental busca medir el impacto ambiental preservar el medio ambiente. 

Para más información sobre la política de calidad y de medio ambiente, vea los siguientes materiales: 

- How to write a good quality policy: https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/

- How to write an ISO 14001 environmental policy: https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-write-an-iso-14001-environmental-policy/

- Curso gratuito en línea - Fundamentos de ISO 9001:2015 -  https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

- Curso gratuito en línea - Fundamentos de ISO 14001:2015 - https://advisera.com/training/es/course/curso-fundamentos-iso-14001/

- Libro - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

- Libro - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/

Internal audit for clause 8.1

Auditing clause 8.1:

a) You will ask for specifications for products and services. Are they defined, approved and current?
b) 1) You will ask for a process control plan
b) 2) You will ask for a product or service quality control plan
c) You will ask for any definition of conditions or resources needed to meet product or service requirements. For example, materials and components to be used as raw materials, or requirements for subcontractors, or requirements for people – number and competences
d) You will ask for evidences of following and applying b)1) above
e) You can ask for a list about documents and records used in operations.

Audit also how changes are implemented and controlled and how subcontractors are controlled.

The following material will provide you more information:

• ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

BCP templates

The BCP templates from the Toolkit are compliant with ISO 22301 and are applicable to organizations of any industry (although our templates are designed for small and mid-sized organizations, up to 500 employees).

The templates provide the basic structure to build a business continuity plan, so they do not contain details about specific industries. The IT examples are used because most of our customers rely on Information Technology processes, but the examples can be extrapolated to any industry.

These articles will provide you a further explanation about elaborating BCPs (not only involving IT scenarios):

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

 These materials will also help you regarding elaborating BCPs:

• Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

ISO 27001 Maintenance Logs

ISO 27001 does not prescribe keeping maintenance logs.

The need to keep logs is defined by the results of risk assessment and applicable legal requirements, and also by the need to prove to auditors that security processes are being performed. These are the elements that will help you define which information must be logged, as well as the systems that must be logged.

These articles will provide you a further explanation about logging:

• Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
• Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

This material will also help you regarding logging:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Integrated systems

Since 2012 ISO management systems share many requirements (e.g., documents and records control, internal audit, management review, etc.), the individual documents for each system still are applicable, and they can be combined in single documents. For documents covering specifics of each standard (e.g., information security risk assessment and treatment, product planning), it is still better to keep them separately.

This article will provide you a further explanation about integrated ISO systems:

• Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
  - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

This material can also help you:

• ISO 27001 vs. ISO 9001 matrix (PDF) https://info.advisera.com/9001academy/free-download/iso-9001-2015-vs-iso-27001-2013-matrix

How to create item 4 of ISO 27001

I understand that you are referring to the list of legal requirements for ISO 27001.

Considering that, although the type of information to be gathered to fulfill requirements of section 4 (Organization Context) are basically the same for ISO 9001 to ISO 27001 (e.g., the requirement, responsible, due date, etc.), and by this, if the spreadsheet provided by your consultancy is compliant with ISO 9001, then it also complies with ISO 27001, the requirements for quality are very different from requirements for information security.

For example, for ISO 27001 the requirement would be to comply with LGPD, whereas for ISO 9001 the requirement would be to comply with some manufacturing-related regulation. So it would be better to list the legal, regulatory, and contractual requirements in separated documents for ISO 27001 and for ISO 9001.

To see how a document that lists the legal requirements for ISO 27001 looks like, I suggest you take a look at the free demo of  our List of Legal, Regulatory, Contractual and Other Requirements at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/

This article will provide you a further explanation about the identification of requirements:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Como Criar o item 4 da ISO 27001

Estou entendendo que você está se referindo ao levantamento de requisitos legais para a ISO 27001.

Considerando isto, embora o tipo de informação a ser coletada para atender aos requisitos da seção 4 (Contexto da organização) seja basicamente o mesmo para a ISO 9001 a ISO 27001 (por exemplo, o requisito legal, o responsável por ele, data em que o requisito deve ser atendido, etc.), e com isso, se a planilha fornecida por sua consultoria está em conformidade com a ISO 9001 ela também cestá em conformidade com a ISO 27001, os requisitos de qualidade são muito diferentes dos requisitos de segurança da informação.

Por exemplo, para a ISO 27001, o requisito seria cumprir a LGPD, enquanto que para a ISO 9001, o requisito seria o cumprimento de alguma regulamentação relacionada à fabricação. Portanto, seria melhor listar os requisitos legais, regulamentares e contratuais em documentos separados para a ISO 27001 e para a ISO 9001.

Para ver como um documento que lista os requisitos legais para a ISO 27001 se parece, sugiro que dê uma olhada no demo do modelo Lista de obrigações legais, regulamentares, contratuais e outras neste link: https://advisera.com/27001academy/pt-br/documentation/anexo-lista-de-obrigacoes-estatutarias-regulamentares-contratuais-e-outras/

Para mais informações, veja:

• Como identificar os requisitos de partes interessadas do SGSI na ISO 27001 https://advisera.com/27001academy/pt-br/blog/2017/02/13/como-identificar-os-requisitos-de-partes-interessadas-do-sgsi-na-iso-27001/

Requirement for DR site

Most regulations and industry practices do not define any specific distance to recovery sites, because many factors can affect what would be considered a “safe” distance (e.g., type of disaster, access to public services, risk level, etc.). From our experience, we suggest you start a discussion about the distance of the DR site suggesting a distance between 30 miles (50 kilometers) and 100 miles (160 kilometers) away from your primary location and from that analyze your organization's context (a geographic situation, available resources, required investment, etc.).

This article will provide you a further explanation about the distance of recovery site:

• Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

This material will also help you regarding the distance of the recovery site:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/