ISO 17025

https://www.qualimetric.co.uk/iso-iec-17025-2017-published/

Computer Forensic Lab에 대한 기준을 amend한 2017버전으로 영국발이지만 앞으로 미국, 캐나다, 호주등 다른 나라에서도 이를 도입할지 주목받고 있다.

이번에 수정된 내용을 요약하자면 아래와 같다.

1. A complete restructuring of the clause numbers. The standard now follows the standard ‘conformity assessment’ structure as used in publications such as ISO/IEC 17020 for Inspection bodies.  The document is now much more logical in its approach, with the ‘core business process’ of receiving requests through to issuing reports laid out in a pretty much sequential manner.  Support and management aspects are also largely grouped together and some of the wording simplified.
2. Interaction with ISO 9001. Again, as per standards like ISO/IEC 17020, the standard identifies overlaps between ISO/IEC 17025 and ISO 9001, so if the laboratory is part of an ISO 9001 certified organization it will be easier to integrate business management systems.   This was very difficult to do with the 2005 edition.
3. Impartiality risk assessment. A major enhancement involves requiring the laboratory to conduct an assessment of risks to its impartiality, as opposed to just demonstrating that it is impartial.   This will require some work to be done for most organisations who will now be required to perform such an assessment, mitigate any identified risks and periodically review risks.
4. Risks and opportunities. The old clause on ‘Preventive Action’ has been placed with a risk-based approach, as is the case with the change introduced in ISO 9001: 2015.  This requires that the laboratory considers the ‘risks and opportunities associated with the laboratory activities’.  This will certainly serve to remove the ongoing confusion surrounding the esoteric differences between ‘Corrective’ and ‘Preventive’ actions, but will require most laboratories to put some considerable thought into identifying risks and mitigating them as well as identifying opportunities leading to improvement.   Any such risk/opportunity assessments will be required to be linked to other monitoring systems (such as audits, non-conformance and corrective action systems) and periodically reviewed.
5. Customer complaints. Although already covered in the 2005 edition of the standard, the 2017 edition includes far more detail on what has to be covered in the laboratory’s ‘documented process’ for complaint handling.   Whilst this should not represent much of a change for most organizations, a review will be required to be made to ensure current procedures reflect all of the new requirements.
6. Handling of confidential information. As with the requirement on complaints, the standard has been ‘beefed up’ in terms of aspects of confidentiality, again, laboratories will have to review their existing processes to ensure compliance, although it is not anticipated that this will require much in the way of practical changes to day to day operations.
7. Internal audits. Not much has changed in this requirement other than standard being more ‘risk-based’, with internal audits being based on ‘importance of activity’ as opposed to the old requirement of auditing each ‘element’ of the standard, although of course it is expected that accreditation bodies will still expect this to be done.
8. Management review. Some minor changes have been added to the ‘input’ requirements, meaning and update  to management review agendas to include aspect such as changes in internal and external issues, fulfilment of objectives, effectiveness of improvements and  results of risk identification
9. Enhanced requirements have been included relating to reporting, particularly in the area of ‘decision rules’ where to take into account the effect of uncertainty when issuing statements of compliance.
10. Data and Information management systems. A separate section has been added regarding this topic which replaces the original ‘5.4.7 Control of data’ clause and some aspects of record management.   This brings the standard much more in line with current practices in use of computerised systems, but probably only really asks for what Accreditation bodies already expect in the way of controls.