Search results

Possible risks associated with clauses of ISO 17025

Note that the Risks will differ between laboratories, depending on the organisation structure and field of work. For example some laboratories have addition regulations to comply with, e.g. Veterinary or Medical Cannabis testing or calibration laboratories.

In all cases the priority is to identify possible risks that could impact on you not meeting your objectives.

Some Examples:

1. Ineffective QMS - A common example is the risk that laboratory policies and objectives are not aligned with your context. For example while turnaround time is a key performance requirement for an internal quality control laboratory due to production impact, yet turnaround time is not one of the established objectives. Impact a) operational performance.
2. Risks to impartiality – examples are given in the standard, for example personal relationships, shared resources. Example Impartiality due to Shared Resources, where Preference given to production personnel for use of shared resources. Impact a) operational performance (Delay in turnaround time for lab test results). b) Quality (undue pressure on lab personnel, resulting in deviations).
3. Risks related to statements of conformity if the decision rule to include or exclude Measurement Uncertainty is not suitable. This can result in a false pass or false fail Impact a) Quality b) Legal / Regulatory
4. Risk levels not considered when taking corrective action for nonconforming work. Impact a) Financial (wasted resources) and b) Quality and Operational (reoccurring non-conformances).
5. Ineffectiveness of activities, for example Management Review. Impact a) If MR itself is not effective, then risks will go unidentified. Impact a) Financial, Operational and Reputation
    

A tip – find out or ask your accreditation body about the top 5 or 10 deficiencies in laboratories in your sector – and then look at the risk you may have vulnerabilities on those topics, for example Technical Records.

ISO 27001 compliance in a system

ISO 27001 compliance or certification would be a must if you have customers who require this standard, or if you have a regulation that would require it, or if your top management decided this has a strategic importance. If none of this is true, then there is no requirement to comply with ISO 27001.

Compliance with ISO 27001:2022

1 - The question is 

1.       Should we start implementing ISO 27001:2022 after the 2nd Surveillance/Maintenance Audit for ISO 27001:2013 and then apply for Certification Audit for ISO 27001:2022 in 2024? 

or 

2.       Should we start implementing ISO 27001:2022 immediately and then apply for Certification Audit for ISO 27001:2022 in 2023? – is this even an option? Or we need to complete the 3-year cycle 

Answer:   Please note that for companies that are already certified against ISO 27001:2013, the transition to ISO 27001:2022 needs to be completed by October 31, 2025.

Considering that, both alternatives are applicable, you should consider available resources (e.g., personnel, money, etc.) and business strategy and objectives to select an alternative.

In case you do not have any urgent reason to make the transition, then you should go for implementing ISO 27001:2022 after the 2nd Surveillance/Maintenance Audit for ISO 27001:2013 and then apply for Certification Audit for ISO 27001:2022 in 2024 because in this scenario you will have more time.

2. Staff training course/certificate completed

ISO 27001: 2013 Lead Auditor Course 
ISO 27001:2013 Internal Auditor Course
The question regarding this courses/certificate is in order to have ISO 27001:2022 Certification we will just need to take and course+exam on ISO 27001:2022 Foundation Course?

For example:

a.       ISO 27001:2013 Lead Auditor Course + ISO 27001:2022 Foundation Course = ISO 27001:2022 Lead Auditor Course Certificate 

b.       ISO 27001:2013 Internal Auditor Course + ISO 27001:2022 Foundation Course = ISO 27001:2022 Internal Auditor Course Certificate 

Answer: For certification purposes, you will need to consider training and certifications related to the 2022 version of ISO 27001.

Please note that some training providers may offer upgrade courses related to changes in the standard, so you won’t need to go through all the certification processes. You should contact your training provider to clarify this information. 

Advisera will offer the ISO 27001:2022 Transition Course for all of its students with ISO 27001:2013 certificates - once this transition course and exam are completed, we will issue the new ISO 27001:2022 certificate - for example, a person having the ISO 27001:2013 Lead Auditor Certificate will receive the ISO 27001:2022 Lead Auditor Certificate.

3.  Also, last year 2021, our company purchase ISO 27001:2013 toolkit. Is there an upgrade option to ISO 27001:2022 and/or guidance on what document(s)/process(es) we need to change or document(s)/process(es) we need to create.

Answer: Customers who have bought the toolkit up to one year before the release of the new version of ISO 27001:2022 (October 25th, 2022) will receive the updated documents at no cost. If you purchased the toolkit before that date, we will send you a discount code for the purchase of the 2022 revision of the toolkit. 

Matrix of Key Performance Indicators

It is a set of KPIs in general, but, yes it can be different for every Management review. 

Building Management Systems and ISO 14001

For a service-providing organization, where most of the environmental aspects are centered in the operations done at the office, the configuration and management of Building Management Systems can help support the journey to ISO 14001. 

A Building Management System manages and monitors equipment such as air-conditioning, energy, ventilation, gas meters, security devices, heating, lighting, and power systems. That equipment may be related to significant environmental aspects. So, a Building Management System helps with what ISO 14001 calls operational control.

You can find more information below:

• Defining and implementing operational control in ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

What records to create for backup restore?

Please note that ISO 27001 does not prescribe how to record the results of a backup restore test, so you can adopt the record that better fits your needs. It can be a restored log, a report, or a screenshot, as you mentioned. But the most important thing is that this record needs to be validated other way than by the person that performed the restore test.

For example, the backup software may have a feature that validates restoration (then you can use a screenshot of the verification result as a record). Another example is you can perform a restoration of a set of files and ask for the files’ owner to validate the restoration by answering an e-mail or filling a report.  

For further information about backup, see:

• Backup policy - How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/

Scope of application of quality standards

By the standards you informed me, I’m assuming you want information about information security standards.

 Considering that, NTC refers to Colombian versions of ISO/IEC standards, and the mentioned standards have the following scopes

• NTC ISO/IEC 27000 covers the glossary for information security vocabulary.
• NTC ISO/IEC 27001:2013 and COLOMBIAN TECHNICAL STANDARD NTC-ISO/IEC 27001 cover the requirements for the implementation of an Information Security Management System
• NTC ISO/IEC Guide 73:2002 covers the glossary of risk management vocabulary
• ISO IEC 27005 – 2009 covers the requirements for information security risk management

How to become an AS9100 auditor?

Mark, thank you very much for your reply. I really appreciate it. Sometimes it is a challenge trying to find a good starting point. I will dig a little bit more before committing to a particular training course.