Search results

Environmental conditions for testing and calibration laboratories

Best practice guidelines or requirements may be referenced or available from your Accreditation Body (e.g. UKAS) or National Metrology Institute (e.g. NIST). The requirements for environmental conditions will depend on the scope of the laboratory. i.e. what type of calibration or testing is being performed.

Generally the facility and environmental conditions must be suitable for the purpose, be reliable and be consistent. Each laboratory would need to determine the specific requirements from a quality and legal perspective and seek information from:

1. National legislation and regulatory bodies (e.g.  environmental and hazardous substances management, occupational health and safety acts),
2. Technical criteria of tests to achieve consistent reliable calibration or test results (e.g. suitable operation conditions and controls such as temperature and humidity to preventing damage or deterioration to samples and equipment).

You may be interested in this article What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/

The ISO 17025 document template: Facilities and Environmental Condition Procedure https://advisera.com/17025academy/documentation/facilities-and-environmental-condition-procedure/ and related documents such as ISO 17025 document template: Record of Laboratory Environmental Controls https://advisera.com/17025academy/documentation/record-of-laboratory-environmental-controls/ are available for purchase.

A-14.2.5 - Secure system Engineering Principles

First is important to note that control A.14.2.5 - Secure system Engineering Principles is mandatory only if you have:
- unacceptable risks that can be treated by this control
- legal requirements demanding the implementation of this control
- a top management decision for the implementation of this control

If none of the above applies to your organization, you do not need to implement this control.

Regarding documentation, control A.14.2.5 is implemented through the template Secure Development Policy, which you can see a free demo by accessing this link: https://advisera.com/27001academy/documentation/secure-development-policy/

ISO 27001 does not require each control to be documented separately, this is why we included A.14.2.5 in this policy. In this policy you have guidelines on how to write the secure engineering principles.

 These articles will provide you further explanation about application of control A.14.2.5:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
- What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/

8.5.5 Post - delivery activities

Consider the example of a small manufacturing company that want to sell their branded product through a big wholesaler chain. Most certainly, in this case, the relevant clause is 8.2. The wholesaler has all the power and they will pay a price for each order.

If the manufacturing company pays directly to the channel partner a kind of rent to “own” a shelf to display the product to consumers then the relevant clause is 8.4.

ISO 9001 and strategic direction

ISO 9001:2015 mentions "strategic direction" in clauses 4.1, 5.1.1b), 5.2.1 a) and 9.3.1.
ISO 9000:2015 defines strategy as "plan to achieve a long-term or overall objective".

Once an organization defines its strategy it actually establishes a set of rules about what to do and whom to serve, and about what not to do and whom not to serve. Adopting and following those rules sets a path, an orientation, a direction: the strategic direction. 

For example, if an organization decides to serve customers that value the lowest price above all, it has to concentrate on efficiency, on volume, on big orders, and look for process innovations that reinforce those topics. Another organization, in the same economic sector, may decide to serve customers that value innovation or design above all. These organizations are different, require different processes or are managed with different priorities in mind.

Please check these two free webinars on-demand where we relate quality policy and indicators

• The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
• Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/

Below, you can find more information about quality objectives:

• How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• What has changed with quality objectives in ISO 9001:2015? - https://advisera.com/9001academy/blog/2018/05/08/what-has-changed-with-quality-objectives-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

List of regulatory, contractual and other legal obligations

Regarding your template, we apologize for the inconvenience. The original template in English has the following links:

• https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
• https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
• https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

Regarding the other templates, we will check the links that need to be updated and send the correct links to you as soon as possible, without additional costs.

If you have any more urgent needs related to links, you can send us the specific links.

Regarding how to fill out the spreadsheet, here is an example:

A customer has a service level agreement with your company which defines, on clause 32-b, that in case of a disruptive incident, access to information system ABC must be restored to at least 30% of normal capacity in no more than 24 hours. In this case, the person responsible for system ABC is responsible to ensure compliance of the system to this requirement. Then your document would be like this:

Interested party: Customer Jon
Requirement: Clause 32-b (recovering access to system ABC to at least 30% of normal capacity in no more than 24 hours)
Document: Service level agreement
Person responsible for compliance: System ABC administrator
Deadline: 24 hours after the occurrence of disruptive incident which makes access to system ABC unavailable)

MATRIZ RACI ISO 27001

In order to establish the responsibilities of ICT and Information Security, I would like to know if perhaps you have already prepared this type of document, please. Thank you very much.

From your question is not clear the role of the ICT regarding information security (it leads the process or if it is an interested party). Anyway, you can use the template in this article:
- RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/

In case ICT leads the project, you can change the term "Project team" to "ICT" in the related Role Column. On the other hand, if ICT is one interested party, you do not need to do any adjustments regarding this.

SAR REQUEST UNDER GDPR

To perform the Subject Access Request (SAR), you may need Google Takeout which helps users to deal with their rights: https://takeout.google.com/Otherwise, if you need to ask for removing some information or content with your personal data, you can send a request to Google through this form: https://www.google.com/webmasters/tools/legal-removal-request?complaint_type=rtbf&hl=en&rd=1&pli=1

ICO (the UK Data Protection Authority) developed a guide on how to file a Subject Access Requesthttps://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/preparing-and-submitting-your-subject-access-request/

• Here you can find more information on data subjects rights:Data subject rights according to GDPR:  https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you need more information about GDPR in general, you may consider to follow our free Foundation course:EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Medical Device Family

According to both the MDD and MDR, you have a case of medical devices group or family. You can have one Technical documentation for the group of the medical devices with a description of a complete list of the various configurations/variants.

To see how to structure the Technical file according to MDR, see this Technical file template: https://advisera.com/13485academy/documentation/technical-file-template/

TPM implementation

Our Toolkit documents do not contain details about the TPM application. But according to my knowledge and experience, I can provide some details about TPM activities.

There are 16 types of loss in GEMBA (production area). These losses are:

Auditing Biomedical service providers

If I understand correctly, you are asking about biomedical equipment that are used in production and/or service of medical devices. If that is so, the minimum and mandatory criteria according to both Medical device directive (MDD 93/442/EEC) and Medical device regulation (MDR 2017/745) are that any laboratory used to prove compliance of the medical device to a certain requirement must be accredited. So, you need to ask for an accreditation certificate of that company and check is your equipment test is on the method list.

For more information what is EU MDR (EU MDR – Easy-to-understand basics), please read the following article: https://advisera.com/13485academy/what-is-eu-mdr/

According to the ISO 134985:2016, companies that provide service of medical devices also need to be certified according to the ISO 13485:2016.

On this link you can find Clause-by-clause explanation of ISO 13485:2016: https://info.advisera.com/13485academy/free-download/clause-by-clause-explanation-of-iso-13485

Qualification of the personel who performed and signed the calibration certificate is covered and reviewed during the accreditation audit.  Usually, companies that perform calibration services are accredited by ISO 17025:2017 for a particular method, so a Certificate of accreditation is also necessary as proof that the calibration process is done properly. 

What is ISO 17025? you can find on the following link: https://advisera.com/17025academy/what-is-iso-17025/

Each equipment has its own standard under which they should be calibrated. There are different standards for scales, for thermometers, for hygrometers, pressure and so on. Standard under which calibration equipment needs to be calibrated must be stated on the calibration certificate. Annex to each calibration certificate is a certificate of the standard gauge with which calibration is done.

For more information about calibration requirements in ISO 13485, please read the following article:
Calibration requirements in ISO 13485 https://advisera.com/13485academy/blog/2019/03/08/calibration-requirements-in-iso-13485/