Search results

Auditing impartiality

How do you audit impartiality 

Auditing impartiality involves systematically determining the extent to which the requirements for safegaurding impartiality are met. i.e. needs identified, processes in place. This is achieved by stating each clause requirement as audit criteria, obtaining objective evidence and evaluating it to confirm conformity or not. Objective evidence is data that supports the existence of something. The evidence itself is usually a document, record or could be a statement of fact, for example, “at the time of the audit, the Quality Policy was displayed in the laboratory". In an audit, evidence can be obtained through various means, for example document review, or interviews and observation. What you need to look for is covered in the answer below.

how do you ensure impartiality in a testing laboratory according to ISO17025:2017?"

Impartiality is important to maintain the trust and confidence of customers and other involved parties. It means that a laboratory must not be influenced or appear to be influenced in any way that would affect laboratory activities. These activities include processes of the ISO 17025 management system, including for example procurement and maintenance. A laboratory must structure the organization and activities in a way that will safeguard impartiality – i.e. not allow commercial, financial, or other pressures to compromise the quality of results or objectives. 

To achieve this:

• Avoid potential conflict of interest and ensure fairness / unbiased actions by structuring the laboratory and greater organization reporting lines to ensure independence.
• Structure Management commitment by establishing an impartiality policy, facilitating training, developing the quality culture, including communicating the importance of safeguarding impartiality. Keep records to provide evidence.
• Perform risk and opportunity assessments to identify where risks may arise and opportunities for improvement and minimizing or eliminating risks to impartiality.
• Include impartiality in Management Review discussion of policies, risk assessments and other activities.
• Establish processes to identify and evaluate ongoing threats to impartiality through for example, internal audits, root cause analysis and effective corrective actions, including management support of the corrective action process.

The ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/, covers this requirement; specifically through the Quality Manual https://advisera.com/17025academy/documentation/quality-manual/ and the ISO 17025 document template: Addressing Risks and Opportunities Procedure at https://advisera.com/17025academy/documentation/addressing-risks-and-opportunities-procedure/

For more information, have a look at other advice answers on the topic of impartiality:

• Assuring impartiality and confidentiality - https://community.advisera.com/topic/assuring-impartiality-and-confidentiality/
• Compliance with the ISO/IEC 17025:2017 requirement for Impartiality - https://community.advisera.com/topic/compliance-with-the-isoiec-170252017-requirement-for-impartiality/
• Procedure for impartiality - https://community.advisera.com/topic/procedure-for-impartiality/

SOP and authority record

When they say the procedure can that be guideline or does it have to be an SOP? Also I thought in the std when it specifies that procedure then you need an SOP? But for audit and management review i have a record template and not SOP. 

By definition a procedure is a specified way to carry out an activity or a process, where a process results in an intended output, through a set of interrelated or interacting activities, involving one or more inputs.

ISO 17025 is risk-based, leaving the decision to the laboratory on how a procedure is established, communicated, and documented if necessary. ISO 17025 Clause  5.5 c) states the need to document procedures to the extent necessary to ensure the consistent application of laboratory activities and the validity of the results. So no, a procedure does not have to be a documented Standard Operating Procedure (SOP). If the Standard, however, mandates a documented process or procedure, it must be documented.  

You referred to internal audits and management review.  For audits, you need a program, which can be a record, however  there are requirements such as methodology, planning requirements and responsibilities; which need to be included either in a Quality Manual or for ease of use, a documented procedure. The purpose of a procedure would be to describe all audit-related activities - the audit program, selecting an auditor, conducting individual audits and reporting.

Again, although it is not mandatory to have a documented Management Review procedure, it is commonly used. The procedure helps ensure systematic and periodic review of the Quality Management System (QMS) by the laboratory.

Have a look at the ISO 17025 document templates: Internal Audit Procedure and Management Review Procedure and their associated records in the toolkit preview at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

2. For the authority record is it a list of staff, names, employee ID#, with list required authority and do they sign the form? Or is it a general document with all the information such as technician ,specialist, manager, Director, etc"

A laboratory is required to document the organizational and management structure as well as the personnel authority and responsibilities, along with other requirements. For clarity, this can be achieved through an organogram in the Quality Manual and a Competence, Training and Awareness Procedure. Personnel accepts responsibilities, usually as part of an employment contract or job description.  Authority is not merely signed for.  An Approval and Authorization Record is used to specify a responsibility or activity along with the evaluation and authorisation of personnel, once deemed competent.

Have a look at the ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ and preview or link to the Quality Manual, Competence, Training and Awareness Procedure and Approval and Authorization Record

Also have a look at the article List of mandatory documents required by ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/08/30/list-of-mandatory-documents-required-by-iso-170252017/, for information on mandatory and commonly used non-mandatory ISO 17025 documents and records.

GDPR vs. EU Dir 95/46/EC

EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data has been replaced by GDPR as you can see on the official EU website: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046

Here you can find the full text of GDPR: https://advisera.com/eugdpracademy/gdpr/

If you want to know more about GDPR you may consider enrolling in this online EU GDPR Foundations Course:

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// 

• Obsolete documentation

  You must have a way of knowing the number of distributed hard copies in use. When they became obsolete, you just exchange the now obsolete copies with the new version. Obsolete copies must be destroyed. You can use a shredder, or simply stamp obsolete in a clearly visible way. The original document, now obsolete, can be destroyed or stamped as obsolete and kept in a file just for obsolete documents.

  You can find more information about document control below:

  • How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book – Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
     

• Monitoring systems for training institutions

  Consider the strategic orientation of your organization. What kind of training services are provided? What kind of target customers are chosen? And how does your organization want to differentiate itself in the market?

  Periodically, review the internal context, for example quarterly. What kind of issues systematically arise in the reports and internal meetings (complaints, successes, costs, training occupancy rates, customer satisfaction, trainers satisfaction, ...). Classify the positive internal issues as strengths and the negative internal issues as weaknesses.

  Periodically, review the external context, for example quarterly. For this kind of monitoring I use the PESTL analysis framework in order to support the discipline of questioning the mind around various areas that may affect an organization (politics, economics, social, technology, legislation and environment). After the PESTL analysis I recommend collecting positive external issues as opportunities and negative external issues as threats, and organize the information in a SWOT matrix that allows us to determine potential risks and opportunities. Please check these two free webinars where I demonstrate the use of the technique:

  • ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
  • How to perform management review according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-perform-management-review-according-to-iso-9001-2015-free-webinar-on-demand/

  For example, one can imagine a training institution, considering the consequences, the opportunities and threats coming after a lockdown economy where many people started to attend webinars and training online.

  You can find more information in the following links:

  • How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book – Discover ISO 9001:2015 Through Practical Examples –https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• The best combination to use for IT Audit

  The best combination will depend on:

  • the purpose of the audit
  • the legal requirements (e.g., laws, regulations, and contracts) the audit must be aligned to

  Broadly speaking, COBIT covers governance aspects of IT, ISO helps cover information security aspects of IT, and ITIL covers operational and management aspects of ITIL.

  These articles will provide you a further explanation about these frameworks:

  • ISO 27001 vs. ITIL: Similarities and differences https://advisera.com/27001academy/blog/2016/03/07/iso-27001-vs-itil-similarities-and-differences/
  • ISO 27001 vs. COBIT: A comparison https://advisera.com/27001academy/blog/2019/05/06/cobit-vs-iso-27001-how-much-do-they-differ/

  These materials will also help you regarding audit:

  • ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
  • ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

• ISO 27001 compliance testing

  The types of tests to be performed will depend on:

  • the requirements defined
  • the results of risk assessment
  • the legal requirements the website must comply with (e.g., GDPR requirements for data owner management of his/her own information)

  Broadly speaking, there are basically 3 types of "tests" that can be related to ISO 27001: 

  • vulnerability testing (not mandatory)
  • internal audit (mandatory)
  • certification audit (mandatory only if you need the certificate)

  Regarding the cost estimates, the best approach is to request a couple of quotations of companies which provide such tests, so you can make a comparison.

  This article will provide you a further explanation about tests:

  • How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
  • How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/

• Risk Assessment

  ISO 27001 does not prescribe which methodology an organization must use for risk assessment and risk treatment, only that an approach must be defined, so organizations can adopt the approach that better fits them.

  Since you are already ISO 27001 certified, the initial recommendation is for you to keep the approach adopted in the preparation for the certification (it was validated by the certification auditor), and then ask both your external consultant and the auditor about the pros and cons of each recommended approach considering your organizational context, so you can evaluate if you, in fact, need to change your current approach.

  For further information, see:

  • The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  • How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

• BAU activities

  I'm assuming that by BAU you mean "Business as Usual".

  Considering that, by the size of this company, it is easier to define that only the headquarters is in the ISMS scope, and treat all other locations as outsourced parties.

  In this approach, you can treat the risks related to the remote locations by means of controls from section A.15.

  These articles will provide you a further explanation about the scope definition and supplier management:

  • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
  • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
  • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

• Evaluating the effectiveness of the procedure

  The requirements for the evaluation of the ISMS performance are stated in section 9 of the ISO 27001. It is true that the standard does not prescribe what to check, but the items included in the procedures are the most commonly used in ISO 27001 related documents, and of course, since the templates are fully editable, you can define other items for checking the effectiveness of the procedure.

  This article will provide you a further explanation about performance measurement:

  • How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/