Search results

ISMS operation before certification

This timing is different from one certification body to another - some certification bodies allow you to go for the certification after you finish the internal audit, management review, and close most of your corrective actions; others require a 3 months period of ISMS operation before you can start the certification process.

So the point is - you should ask for quotes from a couple of certification bodies, and ask them to specify their requirements.

These articles will help you:

• Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
• Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/27001academy/blog/2015/06/22/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

Risk Assessment

1. We are preparing this table for the first time. When listing an asset, is it ok to use a generic category for the asset so that it includes multiple real assets, or must each real asset be listed individually? For example, if I have 10 desktop computers, must each be listed separately or can I make one entry for "desktop computer" assuming the risks are the same for all 10?

ISO 27001 does not prescribe how to perform risk assessment, only that it must be performed, so organizations are free to perform it the way it better suits them.

In fact, grouping assets with similar risks in a single category, as you exemplified, is a common practice, and it is perfectly acceptable by certification auditors.

Please note that included in your toolkit you have access to a video tutorial that can help you fill in the risk assessment table, presenting examples with real data.

My second question is about the existing control column. Is it ok to list a preventative measure that has not been documented in a policy, or must it be an explicit control that is documented? For example, if I have a server that is vulnerable to power failure, can I list the existing control simply as "the server is plugged into a UPS" or must I site a policy document that indicates all servers must be plugged into a UPS? Again, this is the first time this document is being written, and we understand that we will need documented controls for the Risk Treatment Table.

As long as the control is implemented, there is no problem in mentioning it in the existing control column in the risk assessment table, even if it is not documented at the moment the risk assessment was performed.

Please note that ISO 27001 does not require you to write documents for each and every control. Only some controls will need to be documented later on as part of your ISO 27001 implementation - see the PDF document "List of documents" in the root folder of your toolkit to see which documents (and their related controls) need to be written down.

 For further information, see:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Audit scope

Having AS9100 scope for one aerospace product line and ISO 9001 scope for other parts of your organization is an acceptable thing to do, and I understand why you would want to do so. Just ensure you talk to your certification body about the scope change.

Internal and external factors and risk based thinking

Examples of internal issues include: organizational structure, strategic direction, capabilities of employees, poor customer satisfaction, obsolete equipment, organizational culture, contractual agreements, loss of key personnel, etc

Examples of external issues can be: oil price changes, political stability, changes in trade agreements, changes in exchange rates, technology shifts, loss of main supplier, changes in laws and regulations, etc.

Examples of risks: Key supplier fails because it goes bankupt, limited raw materials available due to natural disaster, employee turnover is high, etc. 

The following material will provide you more information about the context of the organization and risk based thinking:

- How to identify the context of the organization in ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/                                                                                                                 - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Please check this free webinar on demand - Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 in the service industry

All elements of ISO 9001 are applicable in the service industry. ISO 9001 is written in a language to make it applicable both to product production or to service provision. 

You can find more information about ISO 9001 implementation in the following links:

- What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Managing Production and Service Provision using ISO 9001 - https://advisera.com/9001academy/blog/2017/11/21/managing-production-and-service-provision-using-iso-9001/
- Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 13485 query

Can you please advise what does a face mask with CE 0197 and ISO 13485 carries what correspondent to what BFC etc?

Standard making process

You can find the story of ISO 9001 in this article - The history and future of the ISO 9000 series of standards - https://advisera.com/9001academy/blog/2019/04/15/history-of-the-iso-9000-series-of-standards-and-what-to-expect-next/ and the process of developing ISO standards in this article from ISO - Stages and Resources for Standards Development - https://www.iso.org/stages-and-resources-for-standards-development.html

Product safety

If after deep analysis of your system you haven`t recognized place for Special Characteristics relating to safety, meaning characteristics which can affect safety or compliance with regulations, fit, function, and also customer safety or employee safety in the production area, it is okay to say that you have no Special Characteristics regarding safety. 

Special Characteristics represent product or process characteristics that can affect safety compliance, regulatory compliance, fit, function, performance, requirements or subsequent processing of the product. Special Characteristics must be documented, in drawings, FMEA analysis, Control Plan, Auto-control Plan, and work instructions. Special Characteristics must be marked in a sense of symbol and definition, and in that way represented to the customer. If there are Special Characteristics, there has to be a strategy for controlling and monitoring, and customer approval.

If the TIER2, TIER1 or OEM haven`t recognized place for product safety, it is a good sign that there is no need for Special Characteristics, since their requirements are often more strict than the standard IATF 16949 itself.The recommendation is to check your system once again and to do deep analysis, just to be sure you haven’t missed something.

NOTE: VW AG’s suppliers are required to appoint and employ a product safety representative. These apply both to the OEM directly, and the whole supply chain.

For more information, please see the following article:

Manufacturing of medical devices

Monitoring temperature and humidity at warehouse (plasti granules/polymers) depends on the symbols that are on the packaging of plastic granules. If there is a symbol for temperature range specifically stated (eg. 5-30C), than you need to monitor temperature. If there is no such a symbol, you are not obliged to monitor this elements. According to the ISO 13485:2016 clause 7.5.11 Preservation of product, you must protect your material from alteration, contamination or damage when exposed to expected conditions. 

We have a procedure for Warehouse in our toolkit. The content you can see on the following link: 

https://advisera.com/13485academy/documentation/warehousing-procedure-iso-13485-2016/

ISO 17025 questions

In responding to your comments and questions, I assume that the requirement will be accreditation to ISO 17025 as a testing laboratory, not a calibration laboratory. As an overall comment for clarity, calibration is always a requirement when checking equipment used in a Quality Managed process. Calibration laboratories require accreditation to ISO 17025, whilst not all testing laboratories require accreditation to ISO 17025. If however, the service you are offering does not involve you performing calibration, legislation or a specific standard may require your facility to be accredited as a Verification laboratory. In this case it is not to ISO 17025, but accordance with a recognised National Standard, where the accreditation demonstrates technical competency for that Standard  - a defined scope and the operation of a laboratory quality management system; not specifically ISO 17025. In trade arenas where there is no legal requirements (not legal metrology) an ISO 9001 management system and accreditation against an industry specific standard is sometimes accepted by the trade association. 

You asked 

1. IS this even possible with a 1 man operation? It seems like several processes require a few staff. Things like management structure, training documentation, impartiality...

ISO 17025 is suitable for any size laboratory. It is therefore possible the implement ISO 17025 for a single person operation. This is achieved by addressing the risks of your facility and safeguarding impartiality. By addressing these, you are justified to modify and simplify processes. You simply state this upfront. When the operations are straight forward, the processes and documents can be simplified within a management system.

2. Our scope is extremely limited, and there really are no datapoints, 99% are pass fail criteria based on interpretation. 

How do we handle stuff like proficiency? Our 17025 scope would be ANSI/an accredited furniture testing standard furniture testing standards, a minimum of 2, maximum of 6, and they are all composed of the same procedures...

Meeting the requirement of ISO 17025 to ensure the quality of test results is confirmed by the accreditation body which will audit your facility and grant your facility accreditation. Here practical restrictions are taken into account and other comparison means are accepted, by agreement. I suggest you contact your accreditation body and obtain their rules for Proficiency Testing and other Comparison Programme Requirements for ISO 17025 accredited facilities. Here again, the documented procedure and records can be customized accordingly. 

In reply to your question 3 and 4, we do not offer accreditation services. I recommend you contact your chosen accreditation body for their policies and procedures.

For more information, have a look at previously answered topics

• Documentation and PT program https://community.advisera.com/topic/documentation-and-pt-program/
• Starting the Process of getting ISO 17025 Accreditation https://community.advisera.com/topic/starting-the-process-of-getting-iso-17025-accreditation/

You can also download the free demo: ISO 17025 Documentation Toolkit https://advisera.com/17025academy/iso-17025-documentation-toolkit/