Search results

Business continuity plan, RTO and MTPD

Considering your MTPD is 2 hours and the resume of business is taking more than 4 days, then you can raise a nonconformity because recovering is taking more time than the defined MTPD.  

Documentation Hierarchy

Hi I need support to organise and map organisation documentation. How it should be organised as mandatory corporate documents

Level 1 documents

 1 Manuals
1.2 Policy
1.3 Strategy
1.4 Main Process Titles
1.5 Sub-Process

or shall we have policy first and them manuals. What is the diffrence between policy and manual?

Thanks

ISO 17025 and 22716

In all cases, the standard and regulatory body requirements needs must be met. In the case of CGMP as I understand the testing laboratory must be ISO 17025 accredited for the tests being performed. Your company needs to ensure that the laboratory results being used are valid, i.e. fit for your purpose. This includes reports that meet ISO 17025 accreditation requirements. All records must be retained as per your management system processes.

I suggest you reach out to the FDA and establish exactly what is required for stability studies.

Information Security Goals

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/ceebcd7b-9dd8-40b8-b06a-87878bcbbfab

RTO in the BIA questionnaire

Please note that the RTO is defined in the template 06.1_Appendix_1_Recovery_Time_Objectives_for_Activities_22301_EN based on MTPD (Maximum Tolerable Period of Disruption). The RTO for each listed activity should be equal or smaller than the defined MTPD for that activity.

In the template 05.1_Business_Impact_Analysis_Questionnaire_22301_EN you define the MTPD for each activity.

Included in the toolkit you have access to a video tutorial that can show you how to fill in the BIA questionnaire, with real examples, and define the MTPD.

Internal Audits

Internal audit findings hold significant importance in ISO Integrated Management System certification preparation by:

• Identifying Compliance: Highlighting gaps between current practices and ISO standards, aiding in aligning procedures to meet certification requirements.
• Improvement Opportunities: Pinpointing areas for enhancement fosters continual improvement in processes, systems, and performance.
• Risk Identification: Uncovering potential risks, enabling proactive risk management strategies to mitigate operational disruptions.
• Documentation Review: Ensuring documentation compliance with standards facilitating a robust system ready for certification audits.
   

Don’t forget when a certification body verifies that an organization reports and processes its audit findings, it sends the message that the system is working.

Understanding the core concepts of RPO & RTO - ISO 22301

1. I understand that Business RPO(BRPO) is the maximum amount of data loss in time a process can afford to lose in case of a disruption. However, can you help me understad the Application RPO(ARPO)? I think that's what I am not able to relate to.

Please note that in business continuity according to ISO 22301, there are no such terms as BRPO and ARPO, only RPO, because the return objectives focus on the activities, not on the assets.

Considering that, once the RPO is defined for an activity, it should be considered for all assets related to that activity, so the Application RPO (i.e., the maximum data loss for that application) would be exactly the RPO defined for the activity.  

2. Also, in my above query I talked about roll-up RTO and RPO values for applications, which are based on the minimum BRTO and BRPO values of the processes tagged to these applications as per best practises. It make sense to rollup RTO values to a minimum value in order for that application to support all the processes tagged to it. Also, RTO gap analysis make sense here.

Nevertheless, does it make sense to roll-up RPO values for application and identifying a gap based on that?

It does not make sense to think of different RTO and RPO for assets different from those defined for the activity.

For example, if you define RTO and RPO for assets larger than those defined for the activity, you won’t be able to recover the activity on defined objectives.

On the other hand, if you define RTO and RPO for assets smaller than those defined for the activity, you will be allocating more resources than needed to achieve the activity-defined objectives, and this would be inefficient.

Identifying the method and scope of audit

The Quality management system requirements for a laboratory must be based on the General requirements of ISO 17025 plus any sector-specific regulations and accreditation body program requirements.

In some situations the Scope of tests is regulated, otherwise it is the laboratory’s decision which test methods will be accredited and which not. The internal audit purpose is to assess whether the management system conforms to all the identified requirements (ISO 17025 and others) and if it is implemented and maintained effectively. The audit criteria are then the requirements. An audit program (schedule) must be established and the Scope of the various audits over a period would change, depending on what test method or area of work is being audited.

For more information, have a look at the ISO 17025 toolkit at https://advisera.co/ISO17025Toolkit, where there are there is a procedure, audit program format, an audit checklist, and report forms to guide you.

Also have a look at the articles ISO 9001 Horizontal audit vs. vertical audit at  https://advisera.co/HorizontalVsVerticalAudit and ISO 17025 Technical internal audit: The basics at https://advisera.co/17025TechnicalAudit

Fulfilling ISO/IEC 17025:2017 8.9.3

The outputs from the Management Review are the records of what was presented (these can be PowerPoint presentations) and then discussion, decisions, and agreed actions. As best practice, all the agenda items should be listed in a table or spreadsheet where the discussion, decisions, and agreed actions for each are recorded. This becomes an action list, with assigned responsibilities and deadlines. For each agenda item, the output is then a record of “answers” to the following questions
a) Is the process evaluated and deemed as suitable, i.e. effective?
b) What improvements are noted for the period?
c) Are there suitable resources available?
d) Are any changes to the process needed to either meet objectives, control risks or drive improvements?

For more information, have a look a the ISO 17025 toolkit at https://advisera.co/ISO17025Toolkit where there are there is a procedure and forms to guide you. Also, read  the article How to perform management review in ISO 17025 at https://advisera.com/17025academy/blog/2021/05/03/how-to-perform-management-review-in-iso-17025/

Sampling in coal mine

ISO 17025 provides general requirements for Sampling from the management system perspective if a laboratory is performing the sample. The objective is to obtain the required item for testing and retain necessary records. The laboratory needs a sampling method that documents the selection of sites and or samples or sites, a plan, and the preparation and treatment of a sample for the laboratory. In the case of coal sampling, it is not likely the laboratory would be responsible for sampling.  Coal sampling is very complex and is and the samples seldom truly represent the whole amount. For this reason, there are standards (international and national) that provide guidelines under different conditions.        

Depending on where you are based, I suggest you look at the national bodies for that sector. There are some published guidelines, along with ISO standards which fall under the ISO catalog ICS (International Classification for Standards) 73.040 Coals Including lignites. For Example, standard ISO/DIS 13909-1 Coal and coke Mechanical sampling

To assist you in meeting the ISO 17025 QMS requirements, in conjunction with the ISO standards on coal sampling, have a look at the toolkit https://advisera.co/ISO17025Toolkit where there are there is a procedure to guide you (Sampling procedure) and forms for a  sampling plan and sampling report. Also, have a look at the Clause-by-clause explanation of ISO 17025:2017 https://advisera.co/17025ClauseByClause