Search results

ISO 17025 Certification

There are differences between ISO 17025:2017 and ISO 9001:2015, where ISO 9001:2015 is a quality management system applicable to any type of industry and organization, while ISO 17025:2017 has more specific requirements, including technical competency, being specifically applicable to testing and calibration laboratories that perform sampling for testing, or produce test results or calibrations services. 

It will help you to ask why your customers may be asking you to follow ISO 17025. For example, if your customers need to make decisions about the nature or suitability of a product, item or sample, based on a test result or calibration service that you offer, they want to be assured of your company’s technical competency to produce a valid report. They may have a specific requirement for a legally binding test or calibration result to meet regulations in their own business sector. 

While your company’s ISO 9001 certification will offer you customer reassurance that you have implemented a quality management system with a strong customer focus and process control; ISO 17025:2017 implementation and accreditation will provide assurance of your company’s competence and consistent operation of processes to provide them with valid results. 

The following material will provide you more information about ISO 17025 and its comparison to ISO 9001:

What is ISO 17025? - https://advisera.com/17025academy/what-is-iso-17025/
ISO 17025 vs. ISO 9001 – Main differences and similarities - https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities//
Please check our ISO/IEC 17025 Blog - https://advisera.com/17025academy/blog/

Download free ISO/IEC 17025 materials - https://advisera.com/17025academy/free-downloads/

Filling template

1. Hello, in which document is my question: "Method for identifying requirements“ (chapter "02" of the toolkit).
Where inside the document is my question: "5. Management of records for this document“
Column 4: Measure to protect the recording.
The record will be the "list of requirements“. The defined measure to protect the recording doesn’t make sense to me (the German version): "Nurfalls [Stellenbezeichnung] zur Bearbeitung von Daten berechtigt ist“.

Can you please explain that to me?

First of all, sorry for this translation.

Please note that the original text in English is "Only [job title] is authorized to edit data".

Different from other records which must not change over time (only in exceptions conditions), this list of requirements is a kind of record that may change regularly due to business and external factors (e.g., new customer's security requirements, new laws, and regulations, etc.). And to ensure changes are controlled the recommendation is that a defined role is in charge of updating this record.

2. My question is inside chapter 4 of the method for identifying requirements. How does the annual assessment of the ISMS compliance with the requirements take place? What proof is required for this? 

When auditing this record, the auditor will look for the previous lists in the period defined in the "Retention time" column, and will verify which changes were made from one version to the other and which person has made the change (in this case the job title defined in the "Control for record protection" column).

Third-party risk assessment questionnaire

Risk assessment for third-parties is not different from the risk assessment performed for your own organization, so you can use the same templates included in this ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

The templates included in this toolkit will help you implement risk assessment and treatment compliant with ISO 27001 & ISO 22301:

• Risk Assessment and Risk Treatment Methodology
• Risk Assessment Table
• Risk Treatment Table
• Risk Assessment and Treatment Report
• Statement of Applicability
• Risk Treatment Plan

These materials will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

Finance Dept documents that need to be controlled

You should include in document and record control of your Quality Management System only those financial/accounting documents and records that are related to fulfilling customer and third parties requirements or conformity to product requirements. 

For instance, certain procedures such as accounts receivable procedure which describes the credit check process and the sales order approval process; work instructions for those positios that are related to customer/suppliers (e.g. Sales Order Entry, Purchase Order Entry, etc); documents related to inventory control or budget allocation; etc

You can also see these materials to help you with the document and record control of finance department:

- New approach to document and record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/

Lead Auditor and implementer consultant

It is possible to accumulate the Lead Auditor and Lead Implementer competences.

In fact, a consultant who knows both how to implement the standard, and the criteria and methods by which the certification auditor will perform the audit can better guide an organization on its Implementation and certification process, adapting policies, procedures, and controls in a better way.

These articles will provide you further explanation about lead Auditor and implementer:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

Certifying ISO 270001 & 9001

ISO 9001 mandatory documents that are not part of ISO 27001 certification are:
- Scope of the QMS (clause 4.3)
- Quality policy (clause 5.2)
- Quality objectives (clause 6.2)
- Criteria for evaluation and selection of suppliers (clause 8.4.1)

And these are the mandatory records for ISO 9001 that are not part of ISO 27001 certification
- Monitoring and measuring equipment calibration records* (clause 7.1.5.1)
- Product/service requirements review records (clause 8.2.3.2)
- Record about design and development outputs review* (clause 8.3.2)
- Records about design and development inputs* (clause 8.3.3)
- Records of design and development controls* (clause 8.3.4)
- Records of design and development outputs *(clause 8.3.5)
- Design and development changes records* (clause 8.3.6)
- Characteristics of product to be produced and service to be provided (clause 8.5.1)
- Records about customer property (clause 8.5.3)
- Production/service provision change control records (clause 8.5.6)
- Record of conformity of product/service with acceptance criteria (clause 8.6)
- Record of nonconforming outputs (clause 8.7.2)

Please note that there also other documents that are not mandatory for ISO 9001, but are commonly used (again here are only those not also used for ISO 27001):
- Procedure for addressing risks and opportunities (clause 6.1)
- Procedure for competence, training, and awareness (clauses 7.1.2, 7.2 and 7.3)
- Procedure for equipment maintenance and measuring equipment (clause 7.1.5)
- Sales procedure (clause 8.2)
- Procedure for design and development (clause 8.3)
- Procedure for production and service provision (clause 8.5)
- Warehousing procedure (clause 8.5.4)
- Procedure for monitoring customer satisfaction (clause 9.1.2)

For more information, please see:
- List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

Updating documentation

No, you do not need to update all technical file documents to new version. You just mark changed documents to v 2.1, and the rest of the documents that did not change you can leave in version 2.0. 

Difference between word needs and word expectations

What you have is good, as long as it gives you enough information going forward.

One interesting thing about this clause fo the standard is that it does not require doucmented information, so any documentation you keep on the needs and expectations of interested parties is in addition to what the standard requires, so just make sure that it has enough informaiton for you and yoru managmeent team to be able to assess that they understand the need as they review it in an ongoing basis.

Risk assessment and treatment and business continuity plan

Considering the scenario where you consider your likelihood scale ok, you have these alternatives to justify not creating a BCP for flood:

• Top management accepts the risk as it is (this is one acceptable alternative always available to the organization for any risk it identifies), based on the knowledge that treatment cost is equal or greater than the impact of the risk occurring
• Implement some other controls (e.g., backup, protection of facilities, etc.) to minimize the impact, and then accept the residual risk (even if it is higher than your acceptance criteria)
• Transfer the risk (e.g., by buying insurance), and then accept the residual risk (even if it is higher than your acceptance criteria)

Please note that the easiest way still is adjusting your likelihood scale so flood likelihood is smaller than fire likelihood. For example, you could use a scale like:
5 - likely to happen within 1 month
4 - likely to happen within 1 year
3 - likely to happen within 3 years
2 - likely to happen within 5 years
1 - likely to happen after 5 years

Filling template List of Legal, Regulatory, Contractual and Other Requirements

ISO 22301 does not prescribe any format as the input source of legal, contractual and other requirements, so it is acceptable to use the transcript of questionnaires or interviews where they are mentioned. However, it is important to note that if they are related to provided products or services, instead of using the transcript as register, you should consider writing them on formal documents like contracts or service agreements, considering the potential use of legal disputes or actions.

Finally, all such requirements (no matter in which form are they expressed) have to be listed in List of legal, regulatory and contractual requirements.