Search results

Automated Firewall Review

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/9694e497-ecc8-4a61-8046-eb3ab248f12a

Choose to Not implement a security control

Well explained! Thank you :) 

SOP

There is no mandatory requirement to list risks in an SOP. On the technical side, the overall risk assessment per test or calibration method should be performed according to your risk management procedure. You should, however, document specific controls in the SOPs that are put in place to keep the risk at an acceptable level. i.e. the controls decided on during the risk assessment. Ensure you state clearly if some action is mandatory. For example Shake for 10 min. Do not leave samples standing after 10 minutes, filter immediately.

For more information on risk assessment have a look at the Advisera ISO 17025 toolkit and webinars available. Start here https://advisera.com/iso-17025/

Business continuity plan, RTO and MTPD

Considering your MTPD is 2 hours and the resume of business is taking more than 4 days, then you can raise a nonconformity because recovering is taking more time than the defined MTPD.  

Documentation Hierarchy

Hi I need support to organise and map organisation documentation. How it should be organised as mandatory corporate documents

Level 1 documents

 1 Manuals
1.2 Policy
1.3 Strategy
1.4 Main Process Titles
1.5 Sub-Process

or shall we have policy first and them manuals. What is the diffrence between policy and manual?

Thanks

ISO 17025 and 22716

In all cases, the standard and regulatory body requirements needs must be met. In the case of CGMP as I understand the testing laboratory must be ISO 17025 accredited for the tests being performed. Your company needs to ensure that the laboratory results being used are valid, i.e. fit for your purpose. This includes reports that meet ISO 17025 accreditation requirements. All records must be retained as per your management system processes.

I suggest you reach out to the FDA and establish exactly what is required for stability studies.

Information Security Goals

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/ceebcd7b-9dd8-40b8-b06a-87878bcbbfab

RTO in the BIA questionnaire

Please note that the RTO is defined in the template 06.1_Appendix_1_Recovery_Time_Objectives_for_Activities_22301_EN based on MTPD (Maximum Tolerable Period of Disruption). The RTO for each listed activity should be equal or smaller than the defined MTPD for that activity.

In the template 05.1_Business_Impact_Analysis_Questionnaire_22301_EN you define the MTPD for each activity.

Included in the toolkit you have access to a video tutorial that can show you how to fill in the BIA questionnaire, with real examples, and define the MTPD.

Internal Audits

Internal audit findings hold significant importance in ISO Integrated Management System certification preparation by:

• Identifying Compliance: Highlighting gaps between current practices and ISO standards, aiding in aligning procedures to meet certification requirements.
• Improvement Opportunities: Pinpointing areas for enhancement fosters continual improvement in processes, systems, and performance.
• Risk Identification: Uncovering potential risks, enabling proactive risk management strategies to mitigate operational disruptions.
• Documentation Review: Ensuring documentation compliance with standards facilitating a robust system ready for certification audits.
   

Don’t forget when a certification body verifies that an organization reports and processes its audit findings, it sends the message that the system is working.

Understanding the core concepts of RPO & RTO - ISO 22301

1. I understand that Business RPO(BRPO) is the maximum amount of data loss in time a process can afford to lose in case of a disruption. However, can you help me understad the Application RPO(ARPO)? I think that's what I am not able to relate to.

Please note that in business continuity according to ISO 22301, there are no such terms as BRPO and ARPO, only RPO, because the return objectives focus on the activities, not on the assets.

Considering that, once the RPO is defined for an activity, it should be considered for all assets related to that activity, so the Application RPO (i.e., the maximum data loss for that application) would be exactly the RPO defined for the activity.  

2. Also, in my above query I talked about roll-up RTO and RPO values for applications, which are based on the minimum BRTO and BRPO values of the processes tagged to these applications as per best practises. It make sense to rollup RTO values to a minimum value in order for that application to support all the processes tagged to it. Also, RTO gap analysis make sense here.

Nevertheless, does it make sense to roll-up RPO values for application and identifying a gap based on that?

It does not make sense to think of different RTO and RPO for assets different from those defined for the activity.

For example, if you define RTO and RPO for assets larger than those defined for the activity, you won’t be able to recover the activity on defined objectives.

On the other hand, if you define RTO and RPO for assets smaller than those defined for the activity, you will be allocating more resources than needed to achieve the activity-defined objectives, and this would be inefficient.