Search results

Question about policy

1. Is there any document showing how to link policies? That is which policies are dependent on which policies?

First is important to note that ISO 27001 does not require such a document, and since the standard does not prescribe which policies should be developed, it is unfeasible to develop such a list in a general way.

Now, considering the documents of our toolkits, we develop them with a "Reference documents" section, to point which documents are related to each template, so you can use the information in this reference to build such a list.

For further information, see:

• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

2. How to show risks of inadequate leadership in a nice way.

If the risks are related to missing documents required by the standard, like the information security policy, you can simply mention that the document is missing and the action of leadership is to ensure they are developed.

In case the risks are related to leadership behavior required by the standard, like promoting continual improvement, a good way to present such risks is to state that related requirements of the standard are not being "properly" followed. This way you can imply that leadership is doing something, that is better than state that they are doing nothing, but that what is being done is not enough to comply with the standard.

For further information, see:

• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

Disaster recovery plan difference

1. Can you please advise what the difference is between the EN and the cloud documents (screenshot below)? The READ THIS FIRST does not explain. I checked the Table of Contents. Is it for different scenario’s depending on if existing systems are cloud-based or on-premise? Apologies but I thought it would save time to ask.

The difference between this is basic lay-out (no change in content). The EN version was designed as a single and independent document, while the cloud document is an annex from a main Business Continuity Plan document, so it does not have a cover page. This is the single difference.

2. Also, I can open the files on my personal computer but when I copy them to my organizations network, they won’t open even when I rename them They must be blocked by our own security filters.

A possible cause may be that the whole document name, including the path in the organization's network, has a number of characters that are above the maximum allowed by the operating system. To check if this is the cause, try to change the name of the file to a single character and then try to open it. If it opens then you should try to rename to a shorter name. If it does not open, please send the document to us for analysis.

Objective for certification the university

 If I understood correctly, you want examples of objectives related to ISO 22301 certification.

Considering that, the most common benefits for organizations which seeks certification against ISO management standards are:

• Enhanced competitive edge
• Reduction on losses due to security incidents
• Reduction on fines due to legal or contractual non-conformity
• Improvement of internal organization

To be more specific, it would be necessary to know the university context (e.g., main courses, students profile, location, etc.).

These articles will provide you further explanation about ISO 27001 benefits (the same concept applies to ISO 22301):

• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
• How to gain employee buy-in when implementing cybersecurity according to ISO 27001 https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-when-implementing-cybersecurity-according-to-iso-27001/

Calculating uncertainty

You asked

Please help me in calculating uncertainty 

Advisera’s ISO 17025 toolkit guides you through the implementation of ISO 17025. The  ISO 17025 document template: Evaluation of Measurement Uncertainty Procedure and related Measurement Uncertainty Checklist and Measurement Uncertainty Record are available as part of the ISO 17025 toolkit; or as separate documents; to guide you in the process.

See the following expert advice answer on the topic, with links to available toolkits documents: https://community.advisera.com/topic/meas-of-uncert-budget-pipette/

You also asked

how can use uncertainty to evaluate the competence of the operators and also that the method is fit for purpose 

A complete discussion of measurement uncertainty is outside of the scope of the toolkit. Measurement uncertainty is a statistical measure, offering a range within which there is an equal probability of the result value lying, at a particular confidence. This uncertainty estimate is a combination of all factors that affect the variability of results, on method basis; so cannot be used directly to evaluate the competence of personnel performing the method. One way of evaluating the competence of the operators, is to analyse the variation of groups of results during or after validation.

To state that a method is fit for its intended purpose, means providing evidence that the method is sufficiently reliable, so that the method can be used with confidence for a client to make a decision; based on results provided. The performance of a method must be evaluated through validation, along with an evaluation of measurement uncertainty. Uncertainty of measurement comprises many components, over a period of time for methods that have many variables. Depending on the purpose of the method a suitably small uncertainty may have to be achieved for a method to be fit for purpose. Look to regulatory or sector guidelines on acceptable or target uncertainties.

The ISO 170252 toolkit and available toolkit documents are available for preview or purchase at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

ISO certification

Here are the four essential steps to becoming an ISO-certified business.

1-evelop your management system. Identify your core or business processes. ...2-Implement your system. Ensure procedures are being performed as they are described in your documentation. ...3-Verify that your system is effective. ...4-Register your system.

ISO 13485 implementation

It is best to make a GAP analysis between your current Quality Pharmaceutical System and requirements from ISO 13485:2016. 

For that step, the following documents can be helpful:

Manufacture of Hospital Beds

Harmonized standards that can be applicable to medical devices are listed on the following link: https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/medical-devices

In that list there is one standard applicable for hospital beds: EN 60601-2-52:2010 - Medical electrical equipment — Part 2-52: Particular requirements for basic safety and essential performance of medical beds.

Medical device Auditor

Medical device auditor first need to know what is auditing process and practice. Usually, this kind of knowledge gets through the education for Lead auditor for ISO 9001 and/or ISO 13485. 

Then, medical device auditors need to have a background in manufacturing and/or designing certain types of medical devices. This is proved by CV and expert knowledge. Each medical device auditor is specified for certain types of medical devices, there is no any auditor that audits all types of medical devices. 

Medical devices are divided into codes.

A list of codes for the EU market that are under Medical device regulation MDR 2017/745 can be found on the following link: https://ec.europa.eu/growth/sectors/medical-devices/new-regulations/guidance_en, look for the document MDCG 2019-14 Explanatory note on MDR codes.

For USA market, codes for medical devices can be found on the following link: https://www.fda.gov/medical-devices/classify-your-medical-device/product-code-classification-database

Information about ISO 9001:2015 Lead Auditor Training Course you can find on following link https://advisera.com/training/iso-9001-lead-auditor-course/

ISO/IEC 17025:2017 & ISO/IEC 17020:2012 certification

What dictates the accreditation cycle?

It is ISO/IEC 17011 Conformity assessment — Requirements for accreditation bodies accrediting conformity assessment bodies that specifies the restriction and criteria for an accreditation body to determine the length of the accreditation cycle. Accreditation bodies must comply with ISO/IEC 17011:2017 and establish separate accreditation schemes (containing rules and processes) within their scope. For example an ISO 17025 scheme and an ISO 17020 scheme. Each scheme has an accreditation cycle which begins at the point of achieving initial accreditation or decision after full reassessment and continues for no more than five years. The criteria is that it must be of a suitable length so that the assessment program can cover sufficient assessments of relevant locations and activities, representative of the scope of accreditation. Typically this cycle is four years or five years for ISO 17025.

What, if any, requirements are dictated by ILAC?

ILAC’s role is to not to dictate or regulate but to develop and harmonize the accreditation practices of member accreditation bodies. They produce policy documents and guidelines which provide criteria or interpretation of accreditation criteria, applicable during assessment. For example with reference to the requirements for an assessment of an internal audit program., in ILAC G28:07/2018 Guideline for the Formulation of Scopes of Accreditation for Inspection Bodies (ISO 17020) ILAC state “The inspection body shall ensure that all requirements of ISO 17020 are covered by the internal audit program within the accreditation re-assessment cycle”.

Aspects vs hazards

"ISO 14001:2015 does not define “hazard”. It only mentions “the nature of onsite hazards (e.g. flammable liquids, storage tanks, compressed gasses)”.

Any organization interacts with the environment. Environmental aspects are the elements of an organization’s activities or products or services that interact or can interact with the environment. Those interactions may take place under normal situations, during startup or stoppage, or during abnormal or emergency situations. Environmental aspects during abnormal or emergency situations may generate particularly significant environmental impacts, environmental consequences. The word hazards are used when significant environmental impacts, significant environmental consequences are a possible outcome.

You can find more information about the aspects and hazards below:

• ISO 14001 vs. OHSAS 18001: What is different and what is the same? - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-vs-ohsas-18001-what-is-different-and-what-is-the-same/
• Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects -https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/"