Search results

Starting the Process of getting ISO 17025 Accreditation

To address your overall question of how to prove effective implementation of a system; it helps to ask the purpose of a specific requirement, i.e. why was it included in the ISO 17025 standard? This will help you work out what evidence you should provide.

Regarding the impartiality clause, the overall purpose is to protect all involved (interested) parties, whether a staff member, customer, company or another group; to ensure there is no unfair influence on any of the laboratory activities. This means that the laboratory must not engage in any activities that could compromise fairness.  It requires that conflicts of interest do not exist (for example the laboratory financial manager, who is also the director of one of the laboratory service providers, should not be responsible for the performance evaluations of service providers). 

The following are ways to demonstrate that all laboratory activities are undertaken in a fair manner, being unbiased and non-discriminatory:
1. Commitment to impartiality. Show this through the way the laboratory is organized (personnel structure), established ethics and quality policies and awareness discussions with personnel. Include impartiality on the agenda for regular quality meetings and management reviews. Establish and retain records of signed personnel declarations, training and minutes of meetings, including management reviews, as suitable evidence.
2. Management of risks to impartiality. Records of internal audits, management reviews, risk assessments and feedback from involved parties are suitable evidence that risks to impartiality are being managed.  Consider financial, commercial, or other pressures that may compromise impartiality. Organizational ownership, governance, marketing, contracts, finances and shared resources between departments must be assessed. You will show that the laboratory eliminates or minimizes risks to impartiality by separating conflicting activities through changing a process or changing personnel reporting lines and authorizations. Even if the initial risk assessment shows no apparent risks to treat, management is demonstrated by monitoring activities to identify possible threats to impartiality that may have arisen from laboratory or personnel relationships; on an ongoing basis. These must include regular customer and employment contract review to identify and treat new impartiality risks.

The following ISO 17025 article provides further insight on how to manage risks, applicable to impartiality as well:

Five-step laboratory risk management according to ISO 17025:2017 https://advisera.com/17025academy/blog/2019/12/05/iso-17025-risk-management-in-five-steps/ 

The following ISO 17025 toolkit procedure and template may be of interest: 

Addressing Risks and Opportunities Procedure at https://advisera.com/17025academy/documentation/addressing-risks-and-opportunities-procedure/
ISO 17025 document template: Registry of Key Risks and Opportunities at https://advisera.com/17025academy/documentation/registry-of-key-risks-and-opportunities/

ISO 27001 & ISO 20000 implementation duration

Implementation duration depends on the size of the company, but also your experience in such projects, and some other factors. 

This article will help you: How long does it take to implement ISO 27001 https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/ - for implementing both ISO 27001 and ISO 20000 you will need 30% more time than for only one standard. 

A.13 Documentation Package

Yes, if you use our ISO 27001 & ISO 22301 Documentation Toolkit but you want to be compliant only with ISO 27001, then the Disaster Recovery Plan is the only document you need to be compliant with section A.17 Business continuity. 

Filling template

...is it sufficient to list all the Contracts(that includes SLA an Cost of the Project) or do we re require to sign a specefic Contract with Customer which has all information Security Guideline?

Not sure if I understood your question, but you can either sign a separate agreement with security clauses, or you can include security clauses in your main agreement. In any case, the agreements that include security clauses must be listed in the List of Legal, Regulatory, Contractual and Other Requirements.

What if in this List an Organsations,s Location is not Listed in the Link. Does the Legal representative of the org help in this scenario?

The list of laws and regulations provided on our website is not official - you should consult a local legal expert to find out which security laws and regulations apply in your country. 

Clause 8

Based on the information that I get from your question I believe that you should apply clause 8 to your business as an R&D organization.

Clause 8.2 is about your customers, those to whom you develop the projects and validate the final product.

Clause 8.3 is your main job.

Clause 8.4 is about those materials, services and information that you buy to apply in the R&D activities. For example, test services, know-how, patent legal support.

Clause 8.5 is about what you do in 8.3

Clause 8.6 and 8.7 is about design and developments control.

The following material will provide you more information about design and development:

- The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/- Procedure for Design and Development - https://advisera.com/9001academy/documentation/procedure-design-development/- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/- Book – (where I use the process approach this way) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ 

Asset Register - minimum value of an item to record

In the context of ISO 27001, the purchase value of an asset is irrelevant - according to the standard, you should list all information and information systems related to your information.

For example, a USB drive where you backed up all of your sensitive data might cost $5, but the value of this data might be huge for a company. 

See also this article: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding handling assets:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 implementation

Here are the answers:

Do I need to be ISO 27001 certified implementer to implement it?

Answer: No - anyone can implement the standard. Of course, the more experience and skills you have, the more likely you will succeed in the implementation. If this is your first encounter with the standard, I would recommend you attend the free online training ISO 27001 Foundations Course: https://advisera.com/training/iso-27001-foundations-course/ 

Will I be able to follow the toolkit documentation to implement it, If we get your ISO 27001 toolkit?

Answer: Yes - the toolkit is made for smaller and mid-size companies with employees that have no experience with ISO 27001. Besides the templates you will also get online support from our expert, as well as video tutorials that explain how to fill out the documents. 

Do I need ISO 22301 toolkit too or ISO 27001?

Answer: If your intention is ISO 27001 certification, then you should go only for ISO 27001 Toolkit because it contains all the documents needed for this standard - find more information here: https://advisera.com/27001academy/iso-27001-documentation-toolkit/ 

Certification of Lead Auditor for external ISO 27001 audit

Not sure if I understood your question correctly, so let me try to clarify:

• ISO 27001 certification can be done by an accredited certification body which employs qualified auditors - their qualification needs to include the Lead Auditor course
• ISO 27001 implementation can be done by anyone, there is no formal requirement whatsoever for the implementation team

See also: 

• Accreditation vs. certification vs. registration in the ISO world https://advisera.com/blog/2016/02/29/accreditation-vs-certification-vs-registration-in-the-iso-world/
• Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/ 
• ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/ 

Identification and traceability requirements

The last paragraph of ISO 9001:2015 clause 8.5.2 states that traceability only is a requirement when requested by the organization, by the regulation, or by a customer. With the changes that you describe you will lose traceability for each tote. Do customers or regulation require it? If so, you have a problem. If there is no requirement, adjust your internal rules to the new practice. Determine and evaluate the risks that can come out of this change.

The following material will provide you more information about traceability:

- Article – ISO 9001:2015 clause 8.5 Product realization – Practical examples for compliance - https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/
- Record of Traceability [ISO 9001:2015] - https://advisera.com/9001academy/documentation/record-traceability/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/